
[ASSACHUSETTS INSTITUTE OF TECHNOLOGY 
ARTIFICIAL INTELLIGENCE LABORATORY 

No, 685 September, 1982 


Symbolic Error Analysis and Robot Planning 

Rodney A. Brooks 


irograro to control a robot manipulator for industrial assembly operations must 
:iunt possible errors in parts placement and tolerances of the parts themselves, 
roaches to this problem have been to (1) engineer the situation so that the 
jail or (2) let the programmer analyze the errors and take explicit account 
is paper gives the mathematical underpinnings for building programs (plan 
carry out approach (2) automatically. The plan checker uses a geometric 
atabase to infer the effects of actions and the propagation of errors. It does 
ally rather than numerically, so that computations can be reversed and desired 
crances can be used to infer required initial tolerances or the necessity for 
s checker modifies plans to include sensing and adds constraints to the plan 
t that it will succeed. An implemented system is described and results of its 
; presented. The plan checker could be used as part of an automatic planning 
an aid to a human robot programmer. 


sments. This report describes research done at the Artificial Intelligence 
>f the Massachusetts Institute of Technology. Support for the Laboratory’s 
elligence research is provided in part by the Office of Naval Research un* 

1 Naval Research contract N00014-81-K 0494 and in part by the Advanced 
>jects Agency under Office of Naval Research contract N00Q14- 80--C- 0505. 

TS INSTITUTE OF TECHNQlQfl 1912 i 












Task 


Figure 
a plan 



Robot 

Controller 


T 

they v 
ranges 

to $Ug! 

place. 


bot systems considered in this paper consist of three agents. A robot controller, 
ir and a combined robot controller and robot manipulator. 


1. Introduction 


by tin 
branc 


lit: I 


• 1 Bnr 


3 er presents a method for checking and modifying robot plans to ensure that 
rk given mechanical errors in placement and orientation of workpieces, and 
erances in the construction of the workpieces themselves. The paper goes on 
m the same method might be used to generate complex robot plans in the first 


BUEl 




plan is a program for a robot controller. It describes the motions to be made 
and the sense operations to carried out. It is a computer program and includes 
iditional on sense operations. 

tic generation of plans for robots is a rich field of research that has many 


2 










un solve 


and au 
Section 
tasks c 
planne 


Sul 


liVMl 


to perf 
carried 


the tas 


check 
and un 
grams 
on ho 


mamp 

about 


l'lKlOJ! 


compu 




in 


planne 


1.1 Urajce 


tainti 
plan i 




lems. Very few attempts have been made to build programs which completely 
cally generate a robot plan, then command the robot to actually carry it out. 
ntions some previous attempts and their successes and shortcomings. Most 
out by today’s robots, even in centers of Artificial Intelligence research, are 

eople. 

i robot planner is used to refer to an agent planning to use a robot manipulator 
ime task. A robot planner may either be a person planning the actions to be 
/ a robot, or an intelligent program performing the same task. Even for people, 
lite difficult and it is worthwhile building automatic aids. 

ler provides the underpinnings for building programs that can automatically 
?r a plan generated by a robot planner is feasible, i.e. whether it is applicable 
hat circumstances it will achieve the goals set by the robot planner. Such pro¬ 
bed plan checkers. In addition, plan checkers can at times provide information 
i a plan to ensure that it will work. 

plan has been checked, a robot controller executes the plan, using a robot 
and sensors to interact with the physical world. The plan checker must reason 
inabilities of the robot controller in order to check and modify plans for the 
s that the controller will make in interpreting sensor readings. 

t implementations of robot systems the distinctions between the three agents, 
cker and controller, will be much fuzzier than shown in figure 1. 

nties. 

r thrust of this work is in ensuring that a plan will succeed in spite of uncer- 
lie physical world whose values can not be exactly determined at the time the 
ulated. There are three major sources of uncertainties. 


3 














1. Rob 
and pa 


a mam 


at a sp 
speed ci 
situatio 


precise!; 
and ov 
stochaii 


aa 


The pp 


cause 


ui Pig 


during pla 


more a< 
cost an 
trying i 


2. To n 
never i< 
specific 
Parts n 
within 
thernse 
task. A 
coming 


(i■n 


•Mg 


3. Ofi 
workpi* 
parts' 
of the 
planne 
initial 


[illS; 


lipulators are complex mechanical devices. There are upper bounds on speed 
and limits to accuracy and repeatability. The absolute positional accuracy of 
r is the error in that results when it is instructed to position its end effector 
position and orientation in space. This may depend on temperature, load, 
ement and the particular position within its work area. Furthermore, in a 
re these parameters are all fixed, a manipulator will not in general return to 
same location and orientation when commanded to repeat an operation over 
a error measures the positional repeatability. There can be contributions from 
sets, and from long term drift effects which can be corrected by calibration, 
al and repeatability errors of current manipulators are sufficiently large to 
ns in carrying out a large class of planned tasks in the absence of feedback 
xecution. Manipulators can be made more accurate by machining their parts 
ely and using more resilient materials. There is however a tradeoff between 
’ormance of manipulators, so that there is a point of diminishing returns in 
Id ever more accurate mechanisms. 

natters worse for the robot planner, multiple copies of a mechanical part are 
al in all their dimensions. It is impossible to manufacture parts with exact 
Instead, designers specify tolerances for lengths, diameters, and angles, 
rom the design can take on any physical values for the parameters which fall 
Bsigned tolerances. The effects of these variations might be large enough by 
» be a significant factor in the success or failure of a planned robot manipulator 
many parts are assembled into a whole, the individual small variations can 
become large. 

5 most significant source of uncertainty is the position and orientation of a 
^en it is first introduced into the task. Mechanical feeders sometimes deliver 
,rge uncertainties in position and orientation, sometimes on the order of 50% 
the part. Conveyor belts deliver parts with even larger uncertainties. A robot 
i includes actions in the plan that are aimed at significantly reducing these 
dainties. The methods described in this paper can be used to analyze those 




4 










subplai 


HIKlt. 


uncerta 
profiler] 
too srn 
may be 
and pa] 
and thi 


approa 


are sm; 


can be 


that ro 
them i 


[iKil 


direct) 

inferer 


1.2 PI 


i if 


plans, 


— see 


The pr 
decom 


•iiliail 


ii.mn 


>r a robot to carry out a task must take into account these three sources of 
it is to be guaranteed to succeed. There are two standard responses to the 
incertainties. One is to ignore them, based on the assumption that they are 
fleet the success of the plan based on nominal values. (Significant engineering 
sary to ensure the validity of such an assumption, e.g. the construction of jigs 
A- second is to estimate the uncertainties, compute the effects of uncertainties, 
;ide if they are too large for the plan to work. This paper offers a third 
consists of computing the effects of the uncertainties symbolically. If they 
ugh, the plan can be accepted. Otherwise the most significant uncertainties 
ied, and the plan can then either be constrained to succeed in spite of them, 
be identified to reduce those uncertainties, or the plan can be modified to use 
proach which can succeed. 

out the paper uncertainly is used rather than error. This is intended to stress 
ans can take into account what are traditionally called errors, and deal with 
inner which ensures that the plans will succeed. 

ne of this paper is that while uncertain situations are hard to compute with 
5 possible to make inferences about uncertainties and compute with those 


(1963) introduced the notion of hierarchically decomposing a plan into sub- 
planning islands. A plan is split up into a linear sequence of smaller subplans 
2. Each level is more detailed. The levels are often called levels of abstraction. 
?f planning then consists of making a top-level plan less and less abstract by 
it into subplans, and filling in details at the lower levels. 


5 












Figure 
e.g. A 
left nei 


:j. p 

j>r B, 
hboij 


lfcns can be decomposed hierarchically into subplans. Any particular subplan, 
■:an be abstractly viewed as a complete plan to get from the state left by its 
to the state desired by its right neighbor. 


instance, if 
jfbbot 
,i,ch s 
constraints 


B the 
Thus e 


At 

deferred 

commo 


any 
untl 
hlv 


rt 


THIere Ire various constraints that link the more detailed subplans together. For 
;ubplan A is followed immediately by subplan B, then at entry to subplan 
planner assumes the state of the world to be that upon exit from subplan A . 
bplan imposes constraints on subplans that follow. Dually, a subplan inherits 
4-orii proceeding subplans. 


stage of a planning process there may be many decisions that have been 
1 later constraints generated by the planning process have been checked (this is 
ferrcd to as posting constraints , e.g. Sacerdoti (1977), Stelik (1981)). There is 


6 







Figure l. A1 
states a ong 


any level of abstraction a plan consists of specifications of the initial and final 
vith an action to effect the transition. 


little a 



of figui 
states 1 
a class 
final st 


0 ■ *Ti 


handl 


Fi. 

role of 


i in 


paramdte 




mge to making a decision until absolutely necessary. Instead, facts that affect 
ould be collected along the way and the decision should be made only when 
Eventually the combined effects of the facts affecting a decision have been 
,nd it simply remains to make all of the outstanding decisions while satisfying 
ts. 

bplan can be considered at some level of abstraction to conform to the scheme 
fhere is a class of possible initial states of the world (which should include all 
meet the conditions imposed by the previous subplan in the chain). There is 
ssible final states of the world. The action is a mapping from initial states to 
The possible final states should be a subset of the initial states which can be 
he following subplan. 

; shows a plan that has been modified to include some sensing operations. The 
»bot controller is now clear. It must interpret the sensory data and relate it to 
>f the planned action. 


7 












other is 
itself) a 
interpre 
from se 


ftlSUli 


to ligur 
hidden 
sensing 
well be 
here ne 


style o 
to use 
and se 


iLiHUMl! 


1.3 Fi 


The fo 


OUTC 


OUTC 
infor 


OUTC 
to ens r 


)bot planner must maintain two models. One is a model of the world. The 
del of the state of knowledge of the robot controller (which will perhaps be 
time the plan is being executed. The robot planner must reason about the 
capabilities of the robot controller, in terms of the knowledge it will have 
data and its knowledge retained from previous plan steps. 

med for simplicity that a plan generated by the robot planner corresponds 
rhe plan may include sensing operations but they may be considered to be 
black box of the initial state. The plan checker need only concern itself with 
tions that it suggested. In reality, the robot planner and plan checker may 
f integrated, or even indistinguishable. The essence of the model presented 
less remains valid in that context. 

'oach to plan checking presented here makes no particular commitment to the 
ling used to generate the plans originally. In fact section 6.2 discusses ways 
vo different planing systems working on the same problem. The mathematics 
s of plans are more central concerns. 


plan checker is checking a subplan, there are a number of possible outcomes. 
f six are considered here. 

: It can accept the plan as workable, perhaps adding further constraints. 

!: It can add sensing operations to provide more accurate execution-time 
to the robot controller, to ensure that the plan will work. 

: It can change the pre-conditions it requires from previous subplans in order 
it the plan works. 


8 













Figure 
state oi 
robot o 
data. 


OUTC 


not me 


OUTC 

availal 


OUTC 


how m 


addititj 

algorit 




plan can include an explicit sensing phase. This does not change the initial 
’orld, but it docs change the robot’s knowledge of the state of the world. The 
ler must do some reasoning at plan execution time to interpret the sensory 


: It can do any of 1, 2, or 3 with the additional caveat that the final state will 
straints as tight as those currently required by the next subplan in the chain. 

: It. can reject the plan if it determines that there are no sensing operations 
t are powerful enough to guarantee that the action will be applicable. 

: It can reject the plan if it is deemed geometrically infeasible independent of 
e uncertainties in the physical system can be reduced by sensing operations. 

irithm presented later in this paper has five of these six possible outcomes. In 
athematical model is developed which provides a framework for designing such 
veil any suitable mechanism for inference on constraints. 


9 













1.4 Out 


1. Secti 


uncert 


Eiil'i 


express| 
tasks, 
ing nu 
paper, 


inequali 
initial c 
be fixe 


Taylor 
of four 
betweei 


in a m 


the tex 
the ess 


KHI 




SMI 




!(•] 


Cl I 


can be 


2. Sec 
tions a 
constra 


associa 




operatic ns, 


the Paper. 

r approaches plan checking in three ways. 

resents two examples of the use of symbolic algebra and reasoning to analyze 
in physical situations. 

example is a single step in a plan presented in full detail. The algebraic 
ivolved have the complexity that can be expected in realistic plan checking 
ue to Taylor (1976). He estimated errors in an assembly task by propagat- 
errors forward through a geometric model of a physical situation. In this 
er, symbolic expressions are computed and propagated. Once the algebraic 
•e set up, it is possible to use them in several ways. First following Taylor, the 
lints can be fixed and the results computed. Second, the desired results can 
the constraints those results imply for the initial situation can be computed. 

nd example is a simplified version of an assembly operation carried out by 
i and Evans (1976) have a series of photographs). It includes the interactions 
slands and is intended to demonstrate realistic interactions which can occur 
i in a plan. The algebraic expressions are perhaps Bimpler than might be found 
.listic plan. Section 2 introduces the example which is then used throughout 
iotivate and exemplify the theoretical constructs. It is simplified to bring out 
aspects of the plan checking algorithm in such a way that the symbolic algebra 
ed without the aid of a computer. 

develops a formal model of plans. In addition it shows how sensing opera- 
he structure of a plan. Section 4 then examines the formal mathematics of 
ithin this framework, and identifies the properties of mathematical quantities 
th a plan which can be used to check the validity of the plan, suggest sensing 
nd propagate constraints forwards and backwards between planning islands. 


10 










3. Sect! 
terms o 
exists t 


n 5 i 
cert 
con 


istantiates the formal mode] of a plan checker developed in sections 3 and 4 in 
iin computable properties of non-linear algebraic inequalities. An algorithm 
pute these properties. The instantiated plan checker is able to carry out 


precis^ 


the 


computations developed in the example of section 2. 


Fi 

problei 


illy 
5 an 


ection 6 relates this work to previous work on planning, and points out 
areas for further development. 


11 







the essi 
demons 
and un 
four in 


sumin 


a plan 
and ho 


iS&l! 


is consl 


checki] 


given 




nr 


in a si 


approm 
symbol 
the A 
detail i 


Appen 


orient 


51 nn 


uncert 

above 


iiiiwia 


orient 


2. Some Examples 

mples of plan checking are given in this section. The first example shows 
features of the plan checking algorithm on a realistic single plan island. It 
the basic idea of propagating desired results backwards through tolerance 
lty computations. The second example uses simplified geometry but shows 
ng plan islands. Only its structure is introduced in this section, along with a 
tie results of running an implemented plan checker over it. It demonstrates how 
r can choose the best place to introduce sensing into a sequence of operations, 
in resolve plan decisions which may not be intuitively obvious. The example 
in more detail in section 5 to illustrate the behavior of an implemented plan 
irithm. The appendix shows the complete specification of the four plans as 
mplementcd plan checker. 

ically Complex Example. 

don illustrates a plan checker symbolically analyzing the uncertainties involved 
Insertion task. The example is taken from Taylor (1976). It contrasts the 
propagating numeric errors with the methods described later in this paper for 
lysis of uncertainties. The computations for this example were carried out by 
fM model-based vision system, described in in Brooks (1981a) and in more 
oks (1981b). 

» is a close up view of a model of the situation described in example 2 of 
of Taylor (1976). 

a box with four holes in its top sitting on a table with a given position and 
ibout the vertical axis. The position and orientation are subject to known 
. A manipulator hand holding a screwdriver, with a screw at the end, is placed 
the holes. It has three degrees of position uncertainty, and three degrees of 
ncertainty. In addition the screw has two degrees of rotational freedom in its 

12 












Figure 
rnanip\|i 
screw it 


attach 
axes w 
in posi 
of the 

Ti 

for the 


4 


). 

ator 
attai 


box rests upon a table with an uncertain position and orientation. A 
|hand with uncertain position and orientation grasps a screwdriver to which a 
hed with two rotational degrees of freedom. 


{dor i 
srror 


Went t|> the screwdriver. It can wobble backwards and forwards about two orthogonal 
ifrch g|> through the center of the end of the screwdriver shaft. If all the uncertainties 
Kon a|d orientation are zero then the tip of the screw should be exactly in the center 
Hole oli the box. 


|sed the following constraints on the errors. The variable names are mnemonics 
to which they refer. 


— 0.3 

< 

BOX-DELTA-POS-X 

< 0.3 

—0.2 

< 

B0X-DELTA-P0S-Y 

< 0.2 

—5° 

< 

BOX-DELTA--0RI 

< 5° 

—0.05 

< 

HAND-DELTA-POS-X 

< 0.05 

-0.05 

< HAND-DELTA-POS-Y 

< 0.05 

-0.25° 

< 

HAND-WOBBI.E-X 

< 0.25° 

-0.25° 

< 

HAHD-W0BBLE-Y 

< 0.25° 

o 

'lTj 

C'j 

o 

{ 

< 

HAHD-W0BBLE-Z 

< 0.25° 

-5° 

< 

SCREW-W0BBLE-Y 

< 5° 

-5° 

< 

SCREW-W0BBLE-Z 

< 5° 


13 





Taylor 
screw 1 




locatio 

tracing 

express 

coordin 


simplil 


[iKiiia 


With 


mi 


the thr 
followi 




Bd a screwdriver of length DRIVER-LENGTH that was exactly 10 inches. A fixed 
was also assumed. 

ras interested in predicting the uncertainty that could be tolerated in the 
ic tip of the screw relative to the center of the hole. This can be done by 
gh the coordinate transforms relating the parts of the model to get a symbolic 
r the coordinates of the screw tip in the coordinate system of the hole. The 
ansfonns can then be multiplied out symbolically (provided suitable algebraic 
can be done - see Brooks (1981a)) to get expressions for the three coordinates, 
rors these coordinates would be (0,0,0). The ranges of possible values for 
rdinates indicate the position errors in the placement of the screw tip. The 
he expression so obtained for the error in the y-coordinate. 

1.260 — 1.516 X sin(BOX-DELTA-ORl) 

1.25 X sin (HAND-WOBBLE-Y) X sin(SCREW-WOBBLE-Z) X sin(—HAND-W0BBLE-X) 

X sin(B0X-DELTA-0RI -f HAND-WOBBLE-Z) 

B0X-DELTA-P0S-Y X COs(BOX-DELTA-QRl) 

HAND-DELTA-POS-X X sin(BOX-DELTA-ORl) 

1.25 X cos(HAND-WOBBLE-Y) X cos(SCREW-WOBBLE-Z) X sin(SCREW-WOBBLE-Y) 

X sin(BQX-DELTA-0RI -f HAND-WOBBLE-Z) 

1.25 X cos(sCREW-WOBBLE-Y) X cos(SCREW-WQBBLE-Z) 

X COs(— HAND-WOBBLE-X) X siii(HAND-WOBBLE-Y) 

X. sin(B0X-DELTA-0RI -f HAND-W0BBLE-Z) 

1.25 X cos(SCREW-WOBBLE-Y) X Cos(SCREW-WQBBLE-Z) 

X cos(B0X-DELTA~0RI -+• HAND-WOBBLE-Z) X sin(—HAND-WOBBLE-X) 

1.25 X cos(—HAND-WOBBLE-X) X COs(B0X-DELTA-0RI -f HAND-WQBBLE-Z) 

X sin(SCREW-WOBBLE-z) 

1.260 X cos(BOX-DELTA-ORl) 

B0X-DELTA-P0S-X X sin(BOX-DELTA-ORl) 

DRIVER-LENGTH X Cos(-HAND-WOBBLE-X) X sin(HAND-WOBBLE-Y) 

X sin(BQX-DELTA-0RI -f HAND-WOBBLE-z) 

DRIVER-LENGTH X cos(B0X-DELTA-0RI + HAND-WOBBLE-Z) 

X sin(—HAND-WOBBLE-X) 

HAND-DELTA-POS-Y X COs(BQX-DELTA-ORl) 

14 






to the 


where 
that u 


Taylor 


lgnorn 


jin) 


richer 
compu 
as abo 
initial 







UKTlI 


the ho] 
Compli 
can be 


where 

algorit 




i) 


essions for Ax and Az are similarly complex. 

3 olic expression bounding algorithms described in Brooks (1981a) were applied 
oordinate expressions, given the above error bounds. The results were: 

-0.0607 < Ax < 0.0510 
—0.590 < Ay < 0.585 

—0.660 < Az < 0.654 

the direction down the hole (note that this is a different coordinate system to 
Taylor). These bounds compare favorably with those obtained by Taylor: 

—0.05 < Ax < 0.05 

—0.54 < Ay < 0.54 

—0.62 < Az < 0.62 

/ed smaller estimates by using more powerful numerical methods, and by 
e small terms. 

by carrying out the computation symbolically it is possible to answer a much 
>f questions about the geometry and the constraints. Rather than simply 
:i error estimate based on propagation of errors through the physical system 
s possible instead to start from a desired tolerance and infer constraints on the 
on. 

, for instance, that the insertion task illustrated in figure 5 is to be achieved by 
iwnward force, compliant about the screw tip, using either a passive compliance 
Drake (1977)) or active dynamic control (e.g. Salisbury (1980)). Then it is 
t the tip of the screw falls somewhere in the top of the open hole. Note that 
ling is the size of the head of the screw rather than the size of the screw shaft, 
lotion will guide the screw into its correctly seated position. This constraint 
ssed by 

/(Ay) 2 + (Az) 2 < 0.25 

le opening has radius 0.25 inches. To simplify the algebra slightly so that the 
escribed in Brooks (1981a) can handle it, and since the errors in the y and 


15 














z coore 
above <f 


Th 
plan foi 




Tb 

errors 
errors 
also askl 


It is fu| 
a num 
include 


Fi 

it is pc 


mate 

onstr, 


|f.se c<j 
the 


It foil 
piH 

A. srr|i 
lumecl 


ither 
Eir of 
selec 


tile 


m 
tisiblel 


are essentially independent, it is sufficient in this case to approximate the 
int with the following two: 

—0.25\/o 75 < Ay < 0.25\/Ch5 
—0.25 \/o75 < Az < 0.25vC5 

nstraints ensure that the action will succeed. They can be used to check the 
nsertion task in any well characterized circumstances. 


wing example uses a tighter set of constraints than those used by Taylor on 
ement of the box. The box placement errors he used tend to swamp any other 
Her amount of wobble in the attachement of the screw to the screwdriver is 
The following bounds on the errors are assumed: 


—0.05 

< 

B0X-DELTA-P0S-X 

< 0.05 

—0.05 

< 

BQX-DELTA-P0S-Y 

< 0.05 

-0.5° 

< 

B0X-DELTA-0RI 

< 0.5° 

—0.05 

< HAND-DELTA-POS-X 

< 0.05 

—0.05 

< HAND-DELTA-POS-Y 

< 0.05 

—0.25° 

< 

HAND-WOBBLE-X 

< 0.25° 

—0.25° 

< 

HAND-W0BBLE-Y 

< 0.25° 

—0.25° 

< 

HAND-WOBBLE-Z 

< 0.25° 

-2° 

< 

SCREW-W0BBLE-Y 

< 2° 

-2° 

< 

SCREW-W0BBLE-Z 

< 2° 


presumed that the screwdriver length is not pre-determined — i.e. there are 
screwdrivers of different lengths available for use. The plan generated must 
ion of one for this task, however it is known in advance that 

DRIVER-LENGTH > 0.0. 


bounds on the errors and the expressions for Ax, A y (such as above) and A z 
to deduce bounds on those expressions in terms of the undetermined variable 


16 







DRIVER 


4 


can be 


are 
tip beihl 


TU desfred constraints on A y and A z can then be applied to these bounds. Thus 

0.25\/0^5 < —0.164 — 0.004420 X DRIVER-LENGTH 

0.164 + 0.004420 X DRIVER-LENGTH < 0.25\/6T5 
0.25\/0^5 < —0.162 — 0.004204 X DRIVER-LENGTH 

0.162 + 0.004204 X DRIVER-LENGTH < 0.25\/O5 
suifl|cient|to guarantee that the insertion strategy will not fail due to the screwdriver 
side of the boundary of the hole. These inequalities are satisfied whenever 


Thus a 
and 


the 


desired 


2.2 Siduplifie 


In 

the elT<b 
to sue 
best pi 
constral 




the con 
disjunc 
plans 
quadra) 


eduefcd. 


& ou 


DRIVER-LENGTH < 2.92. 

|ymb|>lic analysis of the uncertainties in the positions and orientations of workparts 
robd manipulator has provided a constraint on the tool to be used to achieve the 


ENGT 


164 


goal. 


I his s| 
ts 0 
a 
ce in 
ins u. 


fi COl| 

strai 
ions 
ten i 
ic- fo 


i. For instance 


0.004420 X DRIVER-LENGTH < A y < 0.164 -j- 0.004420 X DRIVER-LENGTH 


defe 


Coupled Plans. 

ction four coupled planning islands are considered. A plan checker propagates 
actions from one island to the next, checking whether the errors accumulate 
£ree that planned actions are untenable. When this happens it chooses the 
the sequence of steps to introduce a sensing operation. At the same time it 
resolved decisions within the plan framework. 


iputations for these examples were carried out by an improved version of 
t system described in Brooks (1981a). The new version can handle explcit 
)f constraints (whereas the old version dealt only with conjunctions). Coupling 
ttroduces disjunctions. As a by-product the new version is also able to handle 
ms better than the old. 


17 









RI 


lili 


HQ 


HE 


luu 


figure 6. A box has previously been put on a table by a two link manipulator, 
or the manipulator to place a lid on top of the box then insert a bolt. The 
f uncertainty considered is the inaccuracy in the joints of the manipulator. A 
n sensor is available and is subject to error. 

ry of the objects and sensors. 

lipulator has two links and two parallel revolute joints. It is thus restricted to 
gle vertical plane. Each link is 24 inches long. Each joint can be positioned 
i.l°. The plans below only require that it operate at approximately the height 
int, and at a range of 12 to 36 inches from that joint. Using the coordinate 
n in figure 6 the uncertainty Ax in the x direction of its end-effector when 
coordinates (x,0) can be bounded by 

nax(0.0002215x — 0.043262, 0.0009857x — 0.063329) < Ax 

min(0.043262 — 0.0002253x, 0.063329 — 0.0009895x) > Ax (2.2.1) 

36]. These bounds are no more than 6% larger than the actual uncertainties 
ige. Note that the position error is larger for smaller x and smaller for larger 
sition error behaves inversely to the x error. I.e. y error is small for small x 
large x. However in these plans only the x error is considered. 

is 2 inches long in the direction parallel to the x-axis. Initially the box sits on 
h an x coordinate represented by the named physical quantity boxrposition. 
t was placed on the table by the manipulator, the uncertainty in that position 
cterized by (2.2.1) above. The bolt hole in the box is 0.125 inches in diameter. 

of the box is the same size as the box. The hole through it has a 0.125 inch 
ares to 0.25 at the top of the lid. 

t is 0.125 inches in diameter. The tip of the bolt narrows down to 1/32 = 
es diameter at the tip. Once the tip is seated in a hole the manipulator is 
tough for the bolt to be inserted without moving the object into which it is 


18 






















two link manipulator must place a lid on a box then insert a 1/8 inch bolt 
inch tip) through the lid with a 1/4 inch opening and into a 1/8 inch hole in 


lal sensor is placed directly above the base of the manipulator with a horizontal 
It can measure the distance of an object on the table top by the displacement 
from the center of the image plane. The sensor is subject to error, and the 
stance it must measure, the larger is the error. The implemented plan checker 
with a number of different models for the error characteristics for the sensor. 

>rs are modelled by two functions: l s and r s dependent on the sensor reading 
a true physical value v the sensor will produce a reading m such that 

m 4( m ) y < rn -f~ r s (m). 

19 








T] 

(B) pu 
the ste 


problei 

T1 

by the 

t: 

to the 


Plan 


fi\ 


as box: 
the wc: 


The r 


Plan 1 

center 


Plan 

value 



iple sensor has ~l s (m) = r s (m) — 0.0004 X m, and then for physical value v 
guaranteed to give a reading m where 

rn -f l a (m) — 0.9996 X m < v < 1.0004 X m = m + h s (m). (2.2.2) 

stage plan. 

i is broken into four subplans; (A) move the lid to a position above the box, 
the lid, (C) move the bolt to above the lid and (D) insert the bolt. Note that 
Lcquirc the lid and bolt are ignored in this formulation. This is to simplify the 
presentation. 

ial state of the world is determined by the position of the box. It was placed 
mlator at box.-position with uncertainty given by (2.2.1). 

■ subplans are given in more detail. The full details of how they are presented 
nented plan checker are given in the appendix. 

lid is moved to a position called lid:position. It has the same nominal value 
,ion. The only requirement is that the nominal position for the lid is within 
le of the manipulator, i.e. 

12 < iid/position < 36. 

t position for the lid will be subject to uncertainty characterized by (2.2.1). 

lid is released onto the box. For the subplan to work, it must be that the 
vity of the lid is above the box. Since the box is 2 inches wide this means that 

—1.0 < Iid:positlon — box:position < 1.0 . 

bolt is moved to a position called bolt.-position. It has the same nominal 
>osition. As in plan A above the only requirement is that 

12 < boifc.-position < 36. 

20 








position for the bolt will be subject to uncertainty characterized by (2.2.1). 

»olt is inserted into the lid and through to the box. For the tip of the bolt to 
Kin the flared hole in the lid it must be true that 

= —0.109375 < boit:position — lid :position < 0.109375 — 7/64. 

comply with the hole in the lid. The condition necessary for it to be inserted 
in the box is then 

= —0.046875 < lid :position — box :position < 0.046875 — 3/64. 

j of the four plans. 

ur plans will be used throughout the text to illustrate the plan checking 
iction 5 a plan checker is demonstrated analysing these four plans and their 
A summary is given here. 

i checker follows through plan A through to plan D before it encounters a 
plan D the bolt tip can inserted into the lid without the aid of sensing, but 
•tainties in the positions of the box and lid have built up so much that there 
ee that they will line up well enough for the bolt to slide though the hole in 
die hole in the box. 

i checker identifies the troublesome uncertainties as those for the box and 
but recognizes that the bolt’s uncertainty is not an issue. It briefly considers 
the box and lid positions, but without doing any uncertainty analysis it realizes 
ising will not change the geometric possibility of misalignment. The check 
t up through the plans propagating back the information that the uncertainty 
id lid positions seem to be the cause of the problems. 

C the checker considers sensing the lid position before choosing a nominal 
he bolt. It propagates the new uncertainties through to plan D but finds again 
















that th< 
operate 


that all 
reducin 


sensor 


Now tl 


imim 


for box 


nlfT 


initial 
the lov 
man ip 
box is 
the ex 


{1M 


RIM 


r 


accura 


ijiMQ 


then it 
bad so 


1 This i 
throug 
would 
here n< 
fail. H 
differei 


in 


imental problem has not been changed. The checker resumes the backing up 

1 it decides that there is nothing to be sensed which will be any different from 
,ried in plan C. It continues to back up and gets to plan A. It decides that 
uncertainty in box:position may suffice. It introduces the use of the visual 
box position in plan A, then propagates the effects forward through the plans, 
inal values for iid:position and boJt:position depend on the sensed value 
ion rather than the a priori value. 

* 

.hat a sensor with error characteristics given by equation (2.2.2) is used. 

e checker returns to plan D it finds that the plan will succeed so long as the 
isition is around either end of the range of [12,36]. If the box is placed at 
uf this range then the sensor accuracy is high and even with an inaccurate 
the lid can be placed sufficiently well on the box for the holes to align. If the 
at the high ned of the range, then the sensor accuracy will be lower, but 
>r so introduced will be compensated for by the increased horizontal position 
he manipulator in that range. If the box is placed in the middle of the range 
out that the accuracies of both the manipulator and the sensor are sufficiently 
he holes in the box and lid can not be guaranteed to be aligned sufficiently. 1 


urprised the author. In thinking about it qualitatively before running the example 
an checker it had seemed that the any restrictions on where the box should be placed 
form that constrained it to the middle of the range [12,36]. The reasoning was that 
he sensor nor the manipulator would be sufficiently inaccurate to cause the plan to 
for that to happen the shape of the sensor error characteristics must be somewhat 


22 











3. A Model of Plans and Sensors 


state ar 
refinem 
be cond 






an uric 


just a 


associa 


space 1 
be mut 


1 


the pla 
section 
orienta 
on the 


[OiKi: 


examp 


wl 


circum 


robot 


r 


the ta 
the pai 


3 1 


at mo 
single 
islands 


' model of a plan used in this paper is that there is an initial state, a final 
an of action to change the initial state into the final state. There are three 
> this basic model. There may be uncertainty in the initial state, there may- 
on the applicability of the action, and the planner may generate a plan with 
final state. All these need to be quantified. Furthermore the plan may be 
>art of larger plan - a planning island. Decisions concerning certain details 
th the plan may have to be deferred until adjacent plans in the plan island 
en finalized. Alternatively, the decisions required for the various islands may 
lependcnt. 

ay be uncertainties in the robot planner’s knowledge of the initial state, so 
: be able to handle a set of initial states. For instance in the example used in 
e set of initial states was all possible combinations of the block’s position and 
i the table, the hand’s position and orientation, and orientation of the screw 
the screwdriver, subject to the constraints given. 

on may be applicable over a class of states. For instance the screw in the 
section 2 could be inserted as long as the tip was somewhere within the 
j of the hole. Given the uncertainties in the initial state of the world, the 
' must determine whether the desired action is aplicable. 

ay be a range of final states of the world that are acceptable. For instance, if 
mply to throw a part in a bin then the particular position and orientation of 
>t important. It suffices that it is somewhere within the confines of the bin. 

; islands provide a hierarchical decomposition of large plans into smaller plans 
iled levels of abstraction. The model used for a plan in this paper deals with 
5 at a single level of representation. Section 6 discusses linking Buch plan 
i context of constraint satisfaction as introduced here. A sequel to this paper 


23 












will elal 


3.1 No 


O iHIti 


iFijrn 


notatio 


necess 


functio 

functio 


case le 


upper 
in lowc 
slots n 


meani 


strain 


fk 


expres 


is an etapres 


is a comstra 


on these methods. 


dize the model of a plan it is necessary to introduce some notation. The 
>duced in this section is sufficient to follow up to section 5 when more will be 

il functions are written as words such as DECIDE or support. Upper case 
those for which there exists a program to compute their values. Lower case 
mathematical entities which may not be computable. 

)per case letters, perhaps with subscripts, such as P or refer to sets. Lower 
uch as e are used to refer to mathematical individuals. Strings of letters set in 
■pewriter font, such as BOX-POSITION-X are formal variables of a plan. Strings 
such as box ;Tength refer to slots in the geometric model of the world. Such 
it actual physical quantities. 

is defined on a domain are sometimes applied to a subset of that domain, 
image of the subset under the function. 

ons are constructed from constants, formal variables and slot names. Con- 
first order sentences over boolean-valued predicates applied to one or more 
Thus 

3.0 -f BOX-POSITION'-X -f- B0X-P0SITI0N-DELTA-X 

ion while 

—0.03 < BOX-POSITION-DELTA-X X cos(BOX-DELTA-ORl) < 0.03 
it. 


24 










A lust o 


identifies a d 


straint 


DEF1N 


it. It is 
which 


suppor 




DEFIN 
that ca: 


m 


DEFl 


prodiu 


The oi 


ism 


writte 


•Mini 




appro* 


constraints is written as a subscripted C, such as and Cj. The subscript 
irticular constraint set. A set of constraints is equivalent to the single con- 
is the conjunction of its members. 

The support of an expression is the set of atomic symbols which appear in 
in support(e). Similarly support(c) is written for the union of atomic symbols 
n all the expressions in the constraint c, and support( C) for the union of the 
11 the constraints in the constraint set C. | 

iple the support of the expression above is the set 

{ BOX-POSITION-X,BOX-POSITION-DELTA-X }. 

: The range of a formal variable v is denoted range(v) and is the set of values 
ubstituted for the variable. | 

y, the range of a variable will be the real numbers. 

: A set of variables V defines a space, denoted space(V), which is the cross 
ie ranges of the elements of V. I.e. 

space(V) — JJ range{v) 

v£V 

of the product is arbitrary but fixed for index sets V. | 

p £ space(V) can be written (p Wl ,p Va ,.. M P v n )> where the product forming 
trdered v u ..., v n . Given p £ space(V ) and v £ V the nth ordinate of p is 
id of course p v £ range(v). 

vo variable sets W and V where W C V, 8pace(W) is identified with the 
natural subspace of space(V). 


25 








DEF1N 


then pi 


space 


DEFIN 


then li 


In part 


DEFI) 


V € sp 
is the 


v 6 su 
c , Th 


encom 


tin 


then [t 
evalua 


where 


L'llKL 


Given variable sets W and V, where W C V', and a subset S C space(V), 
W, S) is the projection of S into space(W'). I.e. 

proj(V, W, S) = { q € space(W ) | 3p £ = q w }.| 

:ample a spherical volume in three space projects into a filled circle in two 

,!/>*},{*,!/}>{(*>».*) I x 2 + y 2 + z 2 < 1}) = {(z,y) | x 2 + y 2 < 1>. 

: Given variable sets W and V where W C V, and a subset R C space(W), 
W,R) is the largest subset of space(V') which projects into R. I.e. 

’t(V,W,R) — {p € space(F) | 3 q £ space(W),V w £W,p w ~ q w }. 

proj(V,W,lift(V,W,R)) = H.| 

: Given an expression e and a variable set V where support(e) C V , and 
then [e)v'(p) is the interpretation of the expression e at the point p. Its value 
of evaluating e with the substitution of p v for v throughout for each variable 
e). The definition has a natural extension to the interpretation of a constraint 
is a predicate on the domain space(V). The definition can be extended to 
artial evaluation of expressions. Thus if 

V C support{e) — U 

will be an expression with support inU — V and will be the appropriate partial 
' e, i.e. 

V?£t/-V, [leMp)][/-v{?) = [e]t,(r) 

such that proj{U, V, r) = p and proj(U, U — V, r) = q. 

26 







DEFIN 


satisfyi 
the con 


For a 
of C o 


constr 


where 


3.2 Re 1 


1 0jtl9. 


11 


made 

robot 


njiua 


iple 

X-POSITIQN-X + BOX~POSITION-DELTA-X] { BOX-POSXTION-DELTA-X>(0) 

= BOX-POSITION-X. 

Given a constraint c and a variable set V where support(c) C V, the 
of c over spaced), written sa£(c, P), is the set of all points in spa,ce(V) where 
k holds. I.e. 

sat(c,V) = {pG space(V) | [ c] v {p )} 

lint set C and a variable set V where support( C) C V, the satisfying set 
ice{V), written sat(C,V), is the set of all points in space(V) where all the 
l C hold. I.e. 

sat{C,V) = p| sat(c,V ).| 
ceC 

it for a constraint set C where support( C) C W C V then 
sa£(C, V) = lift(V, W t sat(C, W)). 

o that for two constraint sets, and C#, and variable set V then 
sat[ C a \JC b ,V) = 8at(C Ai V)r\aat{C s ,V), 
r t(C>j) C V and swpp<?r£(Cs) C V* 

ting uncertain physical situations. 

•e two types of uncertainty which a plan checker must deal with. Plans can be 
letailed, yet still incorporate unresolved decisions. Even at execution time the 
ler will not have exact values for physical parameters. These are both handled 

27 







formal variables to represent uncertain knowledge and constraints on formal 
t is known. 

»two distinct sorts of variables: those whose values though not known at plan 
5 at least a known nominal value assigned them before execution time, and 
rill not be known even at execution time. 

; whose values are not known at plan time, but will be known at execution 
d plan variables. 

9 

\ whose values will not be known even at plan execution time are called 
ariables. 

tn ting physical values. 

quantities are represented in geometric models by names. An ad hoc nam- 
s used in this paper to avoid the introduction of unnecessary machinery. 
1 A in the example of section 2.2. The only physical quantities represented are 
o and lid: position. In a more realistic representation of the plan, the named 
itities would include, boxrwidth, lidnt idth and lid:t eeder-position. 

i physical quantity is represented as the sum of a plan variable and an un- 
•iable. Thus for instance in plan A the position of the box on the table, 
n, is represented by the expression 

BOX-POS -f BOX-UNC. 

n variable BOX-POS whose exact value may be unknown at plan time represents 


the nc 
variab 
the ac 


ninal 
i BOX 
lal p 


value of the position of the box at plan execution time. The uncertainty 
•UNC represents the uncertainty that the robot controller will have concerning 
lysical position of the box at plan execution time. 


28 



















time, 
by fun 
actual 
Simila 
partial 
il lustra 
(the ir 
repres 


MU: 


3 iWiWT 





This value for BOX-POS can correspond 


BOX-POS 

issibie values of BOX-POS for An P oinls on this line se S ment 

single physical situation. represent the same physical 

situation. 

given physical situation can be represented by any point on the sloped line, 

5 nominal value can take on any value in the projection onto the horizontal 
sely any nominal value can correspond to any physical situation whose sloped 
3 the vertical about that nominal point. 

physical quantity may have many different representations at plan execution 
ler figure 7 . The uncertainty variable BOX-UNC is bounded above and below 
of the plan variable BOX-POS. A particular value for BOX-POS can model many 
:al situations - one for each value of BOX-UNC which lies within the bounds, 
riven physical situation can be modeled by many values for BOX-POS. Any 
lysical situation corresponds to a straight line segment, with slope —1, as 
figure 7 . Any value for BOX-POS which lies in the project of the line segment 
;ion of the line and and the bounded region) onto the axis is a valid nominal 
n of the physical situation. 

il values of expressions. 

linal value of an expression can be recovered by substituting zero uncertainty 
Thus if P is the set of plan variables and U the set of uncertainties, then the 












nominal 
where 0 


form Jij 
above, 


This in 
of a de 


3.3 W1 


state 


values 
both u 


consid 
from i 


action 
the ov 




3.3.1 


fJi 


positid 


is act 
only 




i of an expressions e, where support(e) C P \JU> will be given by [e][/(0[/) 
he zero point of space[U). 

• instance the nominal value of BOX-POS -f- BOX-UNC is BOX-POS. The functional 
! acts on named physical quantities. Thus if boxrposition is represented as 

nominal{box: position) = BOX-POS. 

atical device will be useful when it is necessary to extract the nominal value 
•xpression. 

pecified and unspecified in a plan. 

k an initial state, an action applied to that state and a final state. 

time there may be unresolved decisions and so not even the nominal initial 
known. At execution time there will be many uncertainties in the actual 
sical quantities. Thus a plan must consider a set of initial states, ranging over 
zed decisions and physical uncertainties. With many possible initial states to 
e are many possible final states. The action of the plan thus becomes a maping 
tates to final states. 

: of a plan checker is to ensure that for all possible initial states the planned 
licable and will lead to a final state that can be handled by the next step in 
[an. 

state. 

srtion task in section 2.1 can be planned in some detail in terms of a nominal 
die block on the table while still representing it as a variable. Before the plan 
;ecuted a specific nominal position will be chosen. (Note that it may be chosen 
warily before the plan is executed - perhaps on the basis of a sense operation.) 


30 









The un 
at plan 


n 


terms 


over c 


this p 
repres 




not co 


initial 


those' 
the set 


till 


island 
this p 


gun 




be re 


8.L 


repres 


the as 


and tl 




lty in the two coordinates of the block on the table will not be known even 
tion time. Bounds on those uncertainties were, however, known at plan time. 

;>f all plan variables in a plan is denoted P. 

of all uncertainty variables in a plan is denoted U. 

netry of the initial state of the world is specified in terms of the geometry (in 
ed physical quantities) of the objects in the world and in terms of expressions 
jS and variables in the set P U U, representing named physical quantities. In 
oly the correspondences between named physical quantities and expressions 
them are considered. The details of representation of geometrical relations are 
sd. 

initial constraints , Cj, where supporl(Cj) C P U U, constrains the possible 
to which the planned action may be applied. Furthermore, sai(Cj ,P U U), 
etations of the variables which satisfy all the constraints, can be considered as 
ssible initial states. 

Cj is derived by the-planning system by tracing through the geometry of plan 
the given initial state of the world. Its initial derivation is not a concern of 

sample consider plan A of section 2.2. There is only one physical quantity to 
ed, namely box:position. The initial states of the world of plan A can be 
oy the sets 

P = { BOX-POS } 

U “ {BOX-UNC}, 

on 

box.'position ~ BOX-POS -f BOX-UNC, 

2) consisting of the constraints 


31 












where 


the as 




and C 


3.3.2 


n 


generi 

action 

pure! 


is ass 


identi 


aspec 
para 
tip of 
for th 


into c 






I 


12.0<BOX-POS<36.0 
ej(BQX-POS) < BOX-UNC < e^BOX-POS) 

ei(x) — inax(0.0002215a: - 0.043262,0.0009857x — 0.063329) 
e h (x) = min(0.043262 — 0.0002253.x, 0.063329 - 0.0009895x). 

13 the initial states of the world can be represented by the sets 

P ~ { B0X-P0S } 

U = { BOX-UNC, LID-UNC}, 

►ns 

box: position — BOX-POS -f BOX-UNC 
lid:position — BOX-POS + LID-UNC 

sting of the constraints 

12.0 < BOX-POS <36.0 
ei(B0X-P0S)<LID-UNC<e^(B0X-P0S) 
Ci(B0X-P0S)<B0X-UNC<e^(B0X-P0S). 


,ed with an action are certain applicability pre-conditions. The robot planner 
ese conditions as sufficient to ensure that the geometric consequences of the 
orrespond to the modelled consequences. Some of these constraints might be 
etric. For example an insertion action requires the existence of a hole. It 
;hat the robot planner has ensured such prerequisites and can transmit the 
ich geometric features to the plan checker. In addition to the gross geometric 
: may be certain finer details which can be conveniently expressed in terms of 
For instance in the insertion task of section 2.1 there was a condition that the 
■ew lie within the circumference of the hole. This is an abstract pre-condition 
cablity of the insertion action. In the example it was translated in two steps 
ns on the plan and uncertainty variables, Firstly it was expressed as 

y^Ax) 2 + (A;y) 2 < HOLE-RADIUS 


32 












and the 
quantiti 


[■■ORT 


geome 
the pi 
that s 


a 


ma 


place i 
lid :pos 


which 


which 


I OKI 


(HI 


' iHWli 


the bo 


center 


((■MB! 




which 


which 


! I lit HO 


3.3.3 


variab 
the vai 


much more complex expression as the quantities Ax and Ay were related to 
resenting the state of the world. 

checker model of this paper assumes that the robot planner carries out the 
srpretation of the abstract action applicability conditions into constraints on 
uncertainty variables. Let that set be for applicability constraints. Note 
C A )CPUU. 

A the abstract applicability condition is that the lid be moved to some 
vorkspace of the manipulator. Since the lid is to moved to physical position 
then the condition can be expressed as 

12.0 < nominal(lid: position) < 36.0 
es 

12.0 < LID-POS < 36.0 
single member of the set C>t. 

B it is necessary that the center of gravity of the lid be above the extent of 
ie the box is two inches wide, and its coordinate system has the origin in the 
box, and similarly for the lid, the condition can be expressed as 

—1.0 < lid:position — box :position < 1.0 

es 

— 1,0 < LID-UHC “ BQX-UNC < 1.0 
single member of the set C 

tate. 

l 1 state of the world is similar to the initial state in that it is represented by 
associations of expressions and named physical quantities and constraints on 


33 














the act 


Someti 

positioi 


taintie*.,, 
the act 


uncert 




as a si 


geome 

relates 




states 


«*2 


5 ] 


initial 


lu; 


that s i 


satisfy 


consis 




where 
is that 


)n of a plan transforms the initial state into the final state. Sometimes 
modeled purely geometrically, as in the insertion example of section 2.1. 
will introduce new uncertainties into the world. Plan A moves the lid to a 
uncertainty determined by the position uncertainty of the manipulator arm. 

i the set of introduced uncertainty variables. Members of V model uncer- 
iresent in the world before the application of the action, which are a result of 
>lf. 

Its of an action can not, in general, be modelled precisely. This is the souce of 
i the plan checker’s model of the world. Thus the action can not be modeled 
unction from the set of initial states to the set of final states. Instead the 
,he action is captured by a set C g, where support(Cg) C P U U U V, which 
tial state of the world to the introduced uncertainties. Thus the possible final 
world are 

sat(Cj UCg,PUUUV). 

pmetry constraints correspond to a physically realizable action, then for every 
'/here the action is applicable, it should be the case that there is a final state 
the constraints of the geometry. Thus the geometry constraints must 
lysic.al realizability condition 

JUV,PUU, sat(C zUC A UCg,PUUUV)) = sat(C j UC A ,PUV) (H). 

sample the geometric constraint set Cg associated with the action of plan A 
e singleton 

ej(BQX-POS) < LID-*UNO < e/^BOX-POS) 

roduced uncertainty variable set is v = { LID-UNC }. The introduced association 
lid: position = BOX-POS + LID-UNC. 











subject 




geo met 
to repr* 


3.4 Act 


desired 
of the 
difficull 




general 


3.4,1 


the wo 
the fin 
conditi 


try, a plan is specified by its geometry g and by three sets of variables 

P plan variables 
U initial uncertainties 
V introduced uncertainties 

ee sets of constraints: 

C; initial constraints support(Ci) C P U U 

applicability constraints support(C^)C P U U 

C g geometry of action support{C g)C. P U U U V 

ith geometry g is written as an 7-tuple (g, P, U , V , C j, C. 4 , Cp). Note that the 
eludes the associations of named physical quantities and algebraic expressions 
hem. 

e plans. 

of a plan checker is to decide whether a plan will work and produce the 
The mathematical criteria for these objectives are easily stated in terms 
developed above for plans. They are stated below. There is however some 
ranslating these abstract criteria into algorithms. Sections 4 and 5 develop a 
>ach and describe a particular algorithm. 

ion must be applicable. 

netric constraints Cp, describing the effect of the action on the initial state of 
valid only if the applicability conditions are satisfied. Thus to guarantee that 
e of the world meets the derived constraints it must be that the applicability 
e satisfied for all possible initial states. Thus 


sat(Cj,P U U) C sat{Cj UC A ,PUU). 


(A) 











3.4.2 T 


feasible 
for a p 
vaild ii 


set of i 


liUM 


goal c 


"r'Rniff? 


introd 
plan isli 


MUII 


M iHim 


of this 


affect 

initial 




i[m 


analys 


:K] 


state 


this c 
by thi 



r mi.ru 


>piiy 


J state must be reasonable. 

i used for a single planning island must leave the world in a state that is 
e next island in the planning chain. Thus a goal condition can be formulated 
fen any valid initial state a plan should produce a state of the world that is a 
tate for the next plan. 

that the next planning island in the chain has an initial state described by a 
.riables P *, a set of uncertainties U* and initial constraints Cj. 

fie model of planning one could demand that P — P and U U V = U . The 
n for a successful plan then becomes 

■(CiUC 9 ,PUUUV) C sat(C*j,P* U U*) = sat(C),PUU\jV). 

istic. planning sytem that assumption can not be made. Variables can both be 
id removed at various points along the temporal sequence from plan island to 

8, including plan variables, are introduced by sensing operations. Examples 
en below in sections 3.5 and 4.2. This type of variable introduction does not 
il condition statement, as the variables are not used in the description of the 
>f the plan in which they are introduced. 

s may be introduced for a second reason. To decrease the complexity of 
Ian islands, it might be the case that aspects of the geometry of the initial 
world are ignored until the first plan step in which they are relevant. In 
introduced variables must be independent of the state of the world described 
ts of the previous actions. The introduction of such variables considerably 
the statement of the goal condition, but in reality add little to its meaning, 
iplementation of algorithms to check that the condition is met. Therefore the 


36 













Ill 



DEFI 


dcscri 


it is s 


3.5 W 


measu 


this paper assumes that all aspects of the world geometry are modeled from 
te of the world, and propagated through all actions. In an implementation of 
s presented later in this paper it is easy to add in this aid to efficiency. 

are removed when all named physical quantities with which they are as- 
ne meaningless. For instance if an object is put down at some temporary loca- 
ked up, the variables which describe its temporary location have no geometric 
in resultant state of the world. Such variables are removed from the descrip- 
/orld state of all following plan islands. This convention is assumed to aid in 
g of planning Islands. It may mean that a sequence of plans, for which a valid 
Lriables can be chosen, might be rejected due to failure to understand subtle 
if uncertainty dependence between plan islands. This paper assumes that the 
•iency derived from the decoupling allows extra planning effort, to find better 
ans in such obscure cases. 

ms be assumed that P* C P and U* C U U V. The goal condition now 
[P U U U V, P* U U\sat[Cj U Cg, P U U U V)) C sat{C], P* U U*). (G) 


: A plan (g,P,U,V,Cj,CA>Cg) whose following plan has initial state 
P*, U* and Cj is called sound if both conditions (A) and (G) are true. | 

I of a plan checker is to either certify that a plan is sound or modify it so that 
V sound plan is illustrated in figure 8. 

ensor is. 

r is used to measure a quantity in the real world. All sensors are subject to 
b errors. A plan checker must have a realistic model of a sensor and its error 


37 






















Figure 

which 


Final States 


js.ctA° B 




i 1 i 


Initial States 
(next plan) 


•tes where 
•plicable. 


States where 
applicable, 
(next plan) 



Projection of 
Final States 


< I (IT 


charac 
of sue 


3.5.1 


in na 


must 


sound plan has an action which is applicable for all possible initial states, and 
;es a final state expected by the following plan. 


,s in order to be able to plan the use of a sensor and to realize the consequences 


0I1B1 


DU 3IB1] 


mg in 


Then 


able quantities . 

ity which can be measured must be geometrically represented as an expression 
ysical quantities. In addition a sensor which can carry out the measurement 
lable. 


e is the expression in named physical quantities, and / the result of susbstitut- 
for he representations of the named physical quantitities in a plan 

(g,P,U,V,Ci,C A ,Cg). 

ppo' t[f) C P\JU. Expression / can be broken into the sum of a nominal expression 


38 














n and 


Thus t 
in the 


the co 
object 


sented 


and wi 


IQtltl 


rilTiKi 


IINIMl 


where 
a suit 


m 


If ther 
of the 


himdi 


icertainty expression u by writing 

n =[./MM 
w —f — |/MM* 

ertainty in / is zero if the uncertainties in all the named physical quantities 
t of e are also zero. Note that 

support[n)CP 
support(u)CP U U. 

examples of geometrically measurable quantities are the length of an object, 
,cs of the position of a detectable feature on an object, the orientation of an 
area covered by an object on a back lighted table. 

nple consider a flat rectangular object whose length, objec fc/lengtb, is repre- 

LENGTH -f LENGTH-UNC 

bjectnifidth, as 

WIDTH -f WIDTH-UNC 

and WIDTH are plan variables, and the others uncertainty variables. Then with 
isor the length of the object could be measured and in that case 

n — LENGTH 
U = LENGTH-UNC. 

vision system available which can measure blob areas, then perhaps the area 
the object could be measured. Then 

n = LENGTH X WIDTH 
u —LENGTH X WIDTH-UNC 

-f WIDTH X. LENGTH-UNC 
-f LENGTH-UNC X WIDTH-UNC. 


39 














3.5.2 


n ~f u 


measui 


131 Kit] 


left an 


A mo< 


names 


This ii 
physic 


nomin 


then 


(Recal 


over o 


depen 

especii 


hV 


quanti 


»[{ 




error is a source of uncertainty. 

sor s capable of measuring a geometric quantity modelled by the expression 
mtly provides a measurement which is subject to error. Thus it provides a 
, which is the true value of the quantity in the real world plus some error term. 

• s is modelled algebraically by two error expressions, namely l s and r s (for 
:), where 

support(l s ) = supporter s ) = {READING S }. 

* 

sensor s can be read by evaluating READ(s) (recall that uppercase function 
pond to functions for which there is a piece of computer code somewhere), 
lominal value returned by the sensor. If correctly modelled then the actual 
le v of what is being measured lies somewhere within an error range of this 
e. Let 

m = READ(s) 

READING, }( m ) < V < ra-f N{ READING. }M- 

the notation [/ s ]{ READING,} is a \~-expression which turns l s from an expression 
iable into a function of one argument.) Thus a sensor can have an error 
n the value it measures. This corresponds well to most physical sensors; 
>se that are non-linear. Often, of course the error expressions will be constants. 

tample, consider a sensor s which delivers a reading with ^10% error. Then 

~/ s = r s “ 0.1 X READING s . 

r figure figure 9. A sensor is being used to read a value for the named physical 
.position. It is represented as before by the expression 

BOX-POS BOX-UNC. 

40 










Uncdi 


Figure 
value ' 
shadec 


The se 


value 


9. Thu 1 
the set 
to choc 
of the 


the sh 
constr 


ill! 


nr 


robot c( 
that wi 
robot c 
that it 
all sens 


Sensor bounds 


More accurate 


sensor 




E I 


—- ’ “ 

Reduced 

uncertainty 

sensor produces a bound on possible physical values. The correct nominal 
lewhere in the bounded part of the plan variable axis (refer to figure 7). The 
gives the valid representations of the physical situation. 


Mil 






jts a bound on the actual value of box: position. Recall that a given physical 
represented by any point on a line with slope —1 in a diagram such as figure 
ich lines which go through the bounded region of the horizontal axis comprise 
sible realities which are consistent with the sensor reading. It makes no sense 
due for BQX-POS which is outside the bounded region. Thus any representation 
d situation which is consistent with the sensor reading should be a point in 
gion of the figure. At plan execution time the sensor reading can be used to 
variables BQX-POS and BQX-UNC to define a point in this region. 


or error expressions are used in different ways by the plan checker and the 
er. The plan checker uses them to generate symbolic bounds on the errors 
nherent in nominal values chosen for plan variables at execution time. The 

t er uses them to generate numeric bounds on the actual sensor readings so 
ose a set of nominal values for the plan variables which are consistent with 
ngs and with the state of the world known from previous steps in the plan. 


41 












and pi! 
if P w 




strain 
constr 
to mec 
that it 


that th 
sound. 


[ilDEXl 




Values 
often 
it may 
the eff 


inlKKU 


so mor 


knowle 
certain 
for che 


4.1 Coi 


constra 


4. What A Plan Checker Can Do 

Ians P and P* where 

P —(g>P t U, V , Cj,Cji,Cc) 

?'~( 9 \P\U\V\ c;,c;,C*) 

immediately follows P in the planning island chain, a plan checker could decide 
nd by checking whether the conditions (A) and (G) were satisfied. 

approach requires the comparison of satisfying sets of different sets of con- 
an be quite difficult to explicitly compute satisfying sets whenever non-linear 
re involved, and it is also difficult to compare them. In addition simple failure 
of the conditions (A) or (G) may give no hint as to how to modify the plan so 
lcceed. In general it is easier for a plan checker to modify a plan to guarantee 
ilied plan is sound, rather than trying to decide whether a given plan is already 

est way to modify a plan is to put extra constraints on the plan variables, 
be chosen for those variables before execution time, and the plan checker can 
;ce that the plan will work by simply constraining those choices. If that fails 
cessary to introduce sensing into the plan. Section 4.2 gives an analysis of 
sensing on a plan. Sensing essentially decreases the uncertainty in the world, 
traints can be added to the initial state of the world to reflect the increased 
at the robot controller will have at plan execution time. Section 4.3 relates 
’ties of these various sets of additional constraints to the six possible outcomes 
\ plan given in section 1.2. 

itly checking and rescuing a plan. 

iod proposed here requires a plan checker to construct an additional set of 
V ( the M is for new constraints), where support(C M ) C P\J U, such that the 

42 









plan 


(g^U.AiCjUC^CA'Cg) 


is soun 


C u wl 


1ST! 




thinkii 
is best 
desirab 


4.1.1 






contai 


of the! 
constr 
is valij 


Vp £ prt 


[•[i 


in 


This cj 
of con 


new p 
set Cj 
enable 


impos 

realiz* 




ormance of a plan checker can be measured in terms of the properties of the set 
s able to compute. Some care must be taken in computing C jj to avoid wishful 
re the constraints on certain of the variables are physically unrealizable. It 
aid making unforced decisions at any given plan island so a minimal Cjy is 
low a minimality condition is defined for Cy. 

f thinking. 

C jv can not be chosen arbitrarily. It is easy to construct constraints which 
m wishful thoughts about the initial state of the world. 

>me specific sensing operation is to be added to the plan, or some previous steps 
re to be re-planned to meet new initial uncertainty constraints, C^ should not 
j initial uncertainties for any set of values for the planning variables P which 
th the old plan and the new. I.e. the following condition must be true. 

U,P,sat{Ci UCi/.PUl/)), (4.1.1) 

Put/, p, p) n sat(C I u c M , P u U) = lift(P U U,P,p)n sat{Cj, Put/) 

m is easily satisified when support {C >/) C P. In fact there is an equivalent set 
s with support contained in P whenever the above condition is satisfied. 

fian checker should first try to compute a set of constraints C h such that the 
sound and support( Cjv) C P. If it fails to do that, it can try to compute a 
e support(C^) C P U U, so long as there exist sensing operations which will 
litial state of the world to be determined within the uncertainty requirements 
A prerequisite for this is that the uncertainty requirements be physically 


43 









EE 


by the 


It may 
that 




The d 


iKiroai 


an acc 


could e 
estima 


4.1.2 


Min 


unm 


numbe 
plan w i 
that th 
but rat 
detaile 

least J 



plan c 
section 


,nce, consider the measurable quantity box:position from plan A represented 
5sion 

BQX-POS 4- BOX-UNC. 

at the constraints C ^ imply that for the plan to succeed it must be the case 

BOX-UNC G [—0.05,0.075]. 

sensing operation would be physically realizable with a sensing device having 
jf ± 0 . 05 . However it is highly unlikely that 

BOX-UNC £ [0.125,0.25] 

> physically realizable. Such a range simply does not make sense as an error 
a sensor. 

Jity of additional constraints. 

constraints C jj narrow down the set of possible initial states since 
sat(Ci \JC M ,PUU) C sat(Cj,P U U). 

ble property of the set of new constraints C>/ is that it remove the minimal 
lowable initial states of the world at the same time as they ensure that the 
k. This is equivalent to arguing for a maximal satisfying set of Cj U Cjy . Note 
no sense a condition of the complexity or size of expression of the constraints, 
i their effect. It is a desirable property because it allows maximal freedom in 
ning concerning the other planning islands in the overall plan. It provides the 
nt on the rest of the plan. 

ormance of plan checkers can be compared more formally as follows. If two 
5 fix a plan by responding with the same outcome amongst 1 through 6 of 
ut with different sets of additional constraints, C^, and C.y 2 say, then C.v, is 

44 









smallei 


Note t 


more 


been d 
the bes 
plan cc 


4.2 Pb 


iijim 


the pi i: 
suppor 
of the 
howeve 
to rest i 


4.2.1 




robot 




variabl 


, i 

quanti 
to cho 


which 

uncert 




Hi 


ore preferable) than C.y a if 

sat{Cj UCy 2 ,PUf/) C aat(C I [)C Mlt PUU). 

L all pairs Cj/, and Care necessarily comparable. 

tcome 1 is more preferable than outcome 6 (and in general lower numbers are 
ble than higher) a partial order on responses by a plan checker to a plan has 
This is however only a partial order and so it can not be used to determine 
onse to a given plan. That depends on how the planning island to which the 
>nds interacts with all the other planning islands in the overall plan space. 

to use a sensor. 

the plan checker can not find a set C y with support(C\j) C P which ensures 
1 work. In principle, the plan checker should search for a set such that 
C P U U and such that there exist sensors which can determine the state 
at plan execution time to within the accuracy required by C>/. Sensing, 
oduces new uncertainties and new nominal values. Therefore it is necessary 
e the representation of the plan with sensing to reflect the new variable sets. 

riables must be introduced. 

figure 4. The world has an initial state. A sense operation is carried out. The 
iler interprets the sense operation by choosing some nominal values for plan 
d then the plan proceeds as in the simple case of figure 3. 

1 of a sensing operation is to choose new nominal values for named physical 
o fit this with the variable and constraint formalism used here it is necessary 
w names for all sensed quantities. Thus for each named physical quantity 
■8 in an expression describing a physical quantity to be sensed, a new plan and 
rariable pair must be chosen. 


45 









mijiw.i 


Origin 


Let t 


m 


BOX-SE 


Since 


<1 


can be 


be sen 


in na 


4.2.2 


.Till 


and uj 
the su 


I ■o 


Simila 
o is th 


mi 


ex pres 


must 


lOlM 


the ro 




that in plan A it is decided to sense the physical quantity box.’position. 
is represented by the expression 

BOX-POS -f BOX-UNC. 

plan variable be BOX-SENSE-POS and let the new uncertainty variable be 
C. The new representation of the physical quantity will be 

BOX-SENSE-POS -f BOX-SENSE-UNC. 

■e representations of the same physical quantities the constraint 

BOX-POS -f BOX-UNC == BOX-SENSE-POS -f BOX-SENSE-UNC 

led even at plan time. Similar restructuring takes place when the quantity to 
not a single named physical quantity, but rather derived from an expression 
ysical quantities, such as the area of the top of the box in section 3.5. 

lints implied by a sense operation. 

rom section 3.5 an expression / which is the representation in terms of plan 
nty variables of a physical quantity to be measured, can be decomposed into 
nominal expression and an uncertainty expression as 

/ = n + u. 

o -f- v be the expression in the original variables which it is replacing, where 
linal component and v the uncertainty component. Since the old and new 
epresent the same physical quantity, the constraint 

n u “ o -f v (4.3.1) 

■ reading at execution time provides a nominal value for the expression n. I.e. 
itroller can interpret a sensor reading of m by assuming the constraint 


(L]{ READING* }( m ) < n < m-f- [r s ]{ READING, >( m )- 












All sue 
control! 


for exp 


sensor 


one se 


sensor 


iMtl 




directb 


a prion 
the ran 
each re^ 


deduce 


»l 


actual 


• lilTll 


</7M iTi 


value can be 
READING 5 , Th 


Tl4 nom 


giving 


traints will be combined (also with constraints already known) and the robot 
l choose consistent nominal values for all the plan variables P. 

not simply use the nominal value returned by the sensor as the nominal value 
i n at plan execution time? There is a problem with consistency of multiple 
gs- Since eac h individual sensor has errors in its measurement, if more than 
used to measure values for non-independent expressions then the nominal 
will usually be inconsistent if used as the nominal values for the expressions. 

at the robot controller will not use the nominal value returned by sensors 
not possible to use the sensor error characterization directly to constrain the 
tie uncertainty of using a sensor. The analysis below proceeds as follows. First 
)ossible sensor readings is characterized, then the possible interpretations of 
are characterized as in figure 4. From that an a priori uncertainty can be 

sider the range of possible sensor readings which might be returned. The 
,1 quantity a priori modelled by o~\~ v must lie in the error range sensed. Thus 

m 4~ [h]{ READING. }[m) < o + v < m -f [r s ] { READING. >(m). (4,3.2) 

replaced by a new plan variable READING S . At plan execution time an exact 
obtained for this plan variable. Recall that l 9 and r s are expressions in 
n the above constraint becomes 

READING S 4- l s < o -f v < READING S + r s . (4.3.3) 

nal value to be chosen for n by the robot controller ensures that 
READINGS 4 l 5 < n < READINGS “f r 9 

READINGS < READINGs 4~ r a — u 

READINGS + Is — u < READINGs + r s 


47 







so tha 


Recall 


constr 

constr 


READIN 
there is 
suffice 
the un 


401 


it is th 
checkei 


a consi 


makes 
First it 
checker 
derived 


interpr 


3'KMM 


constrai 
by the 


4.2.3 T 


uncerta| 
when ei 


l* — r s < u < r s — l s . ( 4 . 3 . 4 ) 

s and r s are expressions involving READING^, 

t constraint reduces the uncertainty u in terms of READING s which is itself 
n terms of the original model by (4.3.3). Together with (4.3.1) this also 
e possible range of n. 

pedal case that the expressions l s and r s are independent of the variable 
. for a sensor that has constant error characteristics over its whole range) 
ed to introduce READING,, as a plan variable, and constraints (4.3.1) and (4.3.4) 
strain the possible values which will be chosen for n, and for characterizing 
ty u. 

ight (4.3.4) seems to underconstrain the uncertainty u. Recall, however, that 
rtainty at plan time in the derivation of n in terms of o, given that the plan 
10 knowledge of the algorithm the robot controller will use in determining 
let of nominal values. The implemented plan checker described in section 5 
use of the accuracy of available sensors by introducing three complications, 
les that all constraints are “well behaved” in some sense and that the plan 
etermine at plan time all discontinuities in the valid values for a plan variable 
a sense operation. Secondly it plans sensing operations one at a time, with an 
phase interposed between any two of them. Thirdly it conservatively adds 
Cj which ensure that the robot controller can use the nominal value returned 
as the nominal value for the physical quantity being measured. 

ructured plan. 

D P include introduced plan variables, and 3 U include the introduced 
triables. Also include in P+ any variables READING., associated with sensor s 
or r s included it in their supports. 


48 








goeme 
sets C 
variabj 





RIlTlI 


whose 


ex pres 


time. 




on its 


imii 


error 


where 

check 


plan is 
variabl 
keeps 1 
set P. 


on the 


iiiiM 


in the 


4.2.4 


ilrTmTo 


OHl 


v expressions associated with some of the named physical quantities in the 
f a plan (g,P, U, V, C j, C.^, Cp) make it necessary to reconstruct the constraint 
C g. Let the new versions be Cj~ and Cj. Their supports do not contain any 
n P and U associated with a named physical quantity which is in an expression 
will be sensed. Let < 7 + be the geometry g , along with the new associations of 
tnd named physical quantities. 

be the set of constraints on the new variables which can be deduced at plan 
snsor contributes either two or three constraints. A sensor with error dependent 
l contributes cpnstraints (4.3.1), (4.3.3) and (4.3.4). A sensor with independent 
utes only (4.3.1) and (4.3.4). Clearly 

support(Cs) C P~^~ \JU+. 

.ructured part of the plan which follows sensing can now be written as 
?+ = (g+,P+,U + ,V,Cf, C+,Cj) 

= Cj U C 5 . Once constructed it can be analyzed and checked by the plan 
most the same manner as the original plan. 

y way in which the resulting plan must be treated differently from any other 
a constructed set of constraints C m may not constrain any introduced plan 
he set P+ — P. The implemented plan checker described in section 5 actually 
f such variables separately, and constructs sets Cjy with support in the original 
mstraints on the introduced variables are thus expressed in terms of constraints 
al variables. A formal notation for this representation has not been introduced, 
its of clarity and brevity. 

>ot controller interprets multiple sensors. 

execution time the robot controller makes measurements using all the 


49 












prescr 

values 


tan 


structi 

chosen 


9i] 


NAy 




strain 


is the 




to be t 
constr 


11 




There 


iso 


have n 


sensors 


the ser 
a set 
the co 




bv cho 


nsors. It then must interpret the values in order to choose a set of nominal 
•ious physical parameters, which will be used to carry out the planned actions. 

1 checker sets the stage for the execution time sensor interpretation by con¬ 
et of constraints which must be satisfied by the new nominal values to be 
an variables in P+ — P. 

extension of previous notation needs to be introduced. Given a set of con- 
set of variables A and a point a £ space[A), then 

|c]x(«) 

:onstraints C partially evaluated at the point a. 

5 e the set of all formal variables READING 5 , one associated with each sensor s 
Note that M and P~b may have non-empty intersection.) Let Cm be a set of 
f the form 

READING S -f /. < n < READING s -f r 8 . 
such constraint for each nominal expressions n being sensed by sensor s. 

isider the situation at plan execution time. The plan variables in P already 

I values assigned to them. Let p £ space(P) represent those assignments. The 

II read. The result is a point m £ M. (Recall that the error characteristics of 
re encapsulated in the constraints set C 5 .) The problem then is to determine 
nal values for the variables in P+ — P, consistent with the sensor readings, 
ts derived at plan time and the nominal values already chosen for variables in 

)t controller can find a set of consistent nominal values for all plan variables, 
1 point 

£ space(P^) 


50 













such t 


The fi 




in P 


interpj 


iU 


contro, 




world 
to intc 
I.e. it 


P 1 KWH 


contai 

search 


measu 


itiiri 




contro 


s, indt 
the foi 


"Mil* I 


Then 
can be 


proj(P + ,P,p + ) — p 

E proj(P+ U U+, P+, sot([ [C j U C s U C w ]p(p) } M (m),P+ U £/+)). 

these two requirements simply says that the old nominal values for variables 
ained. The second takes into account the sensor readings and chooses an 
n of the sensors consistent with the existing constraints. 

; can checkpoint plans. 

lat a sense operation has been introduced into a plan it is possible for the robot 
check that the sensor readings could possibly correspond to the model of the 
»y the robot planner and the plan checker. It implicitly must do this in order 
•he sensor values and choose nominal values for the quantities being measured, 
ity checks whether 

*««([ [Cj U Cs U C*Mp) ] M (m),P+ U U+) 

lint consistent with the values for variables in P, and the sensor readings, when 
an interpretation of the sensor values. If such a point does not exist then the 
ts from the sensors are inconsistent with the model of the world. 

n checker can arrange for the robot controller to do more however. The robot 
l be told how to to identify which sensor readings are implausible in themselves. 

time the plan checker can include in P+ a variable READING* for each sensor 
nt of whether l s and r s depend on that variable, and include a constraint of 
1.3) in C$. Then it can compute a set B s where 

B a D proj(P+ U U^~ , { READING* }, sat(Cj U C $,P~^ U 

t execution time when sensor s is read, and a value m s is returned, the plan 
ed by testing whether m s 6 If not, then the planned model definitely does 


51 











constr 
P ther 


Other 


compi 


urrent physical situation. Furthermore the identity of sensor s can give any 
y system a handle on where the inconsistency lies. 

itional constraints affect the plan. 

n 1.2 six possible outcomes for a plan checking algorithm were outlined. That 
; somewhat arbitrary but the six outcomes are maintained here to explain how 
perties of a computed set Cj/ can be used to characterize what can be done 
. The mathematical considerations in the characterization of the set C y are 
tie six outcomes below. 

1 be emphasized the the particular set C ^ computed by a plan checker depends 
ihecker itself. Plan checkers differ in the extent to which they need to alter a 
•e themselves that it will work. Such differences can be compared if costs are 
ossible alterations to a plan. The issues involved will not be addressed in this 

he plan checker does. 

n checker is given a plan P. It computes a set C* of additional initial 
liat it deems necessary to guarantee that the plan is sound. If support(C >/) C 
ini shed and the final plan is 

(9>PjU,V,Ci \J C}j f Cji,Cg). 

e plan checker introduces sensing into the plan to derive plan P + . It then 
lew set C~x as before on the basis of P+ resulting in a final plan 

(s + . P + ,V+, V, C+UC+C+ c£). 


52 










omes. 


: If no sensing was introduced, support(C u) C P and (A) and (G) hold then 
is sound and is simply the given plan subject to some extra constraints on 
ables. That is to say, some of the as yet unresolved decisions concerning the 
en further constrained. 



: Suppose sensing has been introduced, (A) and (G) are true for the new plan 
Cj) C P'K Then the plan with sensing is sound. 


: Suppose sensing has been introduced, (A)and (G) are true for the new plan, 
CjJn 0 P~^ f while support( Cj) C P + U . In this case plan P + should 
md the plan checker should back up to the original plan P augmented with 
lat suppori(C}j) 0 P. Now the previous plan islands should be rechecked, 
U Cjy as a stronger goal constraint than previously supplied. Essentially this 
force sensing to be carried out earlier in the overall plan so that the propagated 
-hat reaches this plan island will be reduced. 


: If any of the above conditions are met, except that (G) does not hold, then 
is physically realizable except that it doesn’t achieve the desired goal. The set 
s which can arise should be propagated forward to the next planning island, 
hat subsequent sensing and actions can be modified to handle the uncertainty 
t this step of the plan. 


: If none of the above conditions could be met (e.g. there are neither powerful 


53 






























plan. 


OUTC 


how n 
The t 


m 


sens- 
e ad 

ME I 
ch tl 
t sinn 


operations available nor could the planning islands before and ahead of this 
ipted sufficiently) then the plan F is unworkable in the context of the global 

: If sat([C] U P) — 0 then the plan is unworkable independently of 

e uncertaintites in the physical system can be reduced by sensing operations, 
ply asks whether the constraints are satisfiable even with zero uncertainties. 


54 



hV 


constr 


into s 




to rea 


mamp 

checki 


six ou 


backw 


appro 
plan, 
but th 


Him*] 




strain 


checke 
by the 


up.! 




constr 
inform 
plan c 




into a 




m Algorithm For Dealing with Position Errors And Toleranced Parts 

heart of a plan checker there must be a system which can reason about 
about their satisfying sets, and about the projections of those satisfying sets 
es. 

RONYM (Brooks (1981a)) system used such a constraint manipulation system 
>ut consistent interpretations of image features. This section takes a constraint 
1 system of the form used by ACRONYM and constructs an algorithm for 
; algebraic aspects of robot plans. It is capable of producing five of the 
? previously detailed. In particular it propagates constraints forwards and 
mongst planning islands, it introduces sensing operations when necessary and 
and when a plan is rejected it gives some analysis of what is wrong with the 
ding it to include the sixth possible outcome (outcome 4) is straightforward, 
i complexity detracts from the presentation of the algorithm. 

5.1 introduces some more notation concerning satisfying sets of sets of con- 

5.2 details the formal properties of the constraint system used in the plan 
known as the SUP-INF method. These properties are precisely those needed 

checker developed through the rest of section 5. Any other constraint system 
operties could equally be used as the core of the plan checking algorithm. The 
of the constraint system (and hence the algorithm) is not formally addressed, 
nt system used here is understood formally when restricted to linear sets of 
However for non-linear constraints the best characterization known so far is 
empirical. Section 4.3 discusses the issue of comparison of performances of 
l algorithms. 

5.3 introduces an important sub-procedure. It projects a set of constraints 
ce, over the satisfying set of a second set of constraints. This procedure is the 


55 


















u 


workhd 


Se e tion p.4 describes the main plan checking algorithm based on the SUP-INF method. 
Section 5.5 c itails how the SUP-INF method can be used to decide which physical quantities 
need tel be s< nsed, and section 5.6 gives a detailed example of the plan checker on the four 
plar s introduced in section 2.2. 


coupled 


5.1 M 6 


Tfi e constraint methods used at the core of the plan checking algorithm described in 
the following sections rely on estimating bounds on expressions over satisfying sets of sets of 
constrMnts. pome additional notation is convenient in order to characterize their behavior. 

priori: Given an expression e, and a set of constraints C, let W ~ suppori(e) U 
(C), jet S — sat( C, VF) then define 

lub(e,C) — sup[e]w(p) 

pes 


DEFIN 


support 


and 


Thus li\b(e, 
satisfying se 


5.2 Th^ 

B1 

sets of 
autorni 
assertio 
simplex 


Th 


rse fd 


e novation. 


com 


dsoe 
inea 
,ic g 
ins. 
met 


Is au 


r constructing sets Cjy. 


glb(e, C) = inf [e] w (p). 

pGS 

(|) is the least upper bound on the values achieved by the expression e over the 
of the constraints C. The greatest lower bound glb(e, C) is defined similary. 


mutational tools. 


1975) introduced what he called the SUP-INF method, to determine whether 
equalities had integer solutions. The problems he wished to solve arise in 
neration of proofs of correctness of programs using methods of inductive 
Sjiostak (1977) extended the method and showed that it was equivalent to the 
od over real linear inequalities. 


hor (Brooks (1981a), (1981b)) extended the SUP-INF method to handle a 


56 





elerne 


a com 


of bot 


conjui 

includ 


m 


and cl 


LH* 


iU[n 


additi 
a limi 
symbo 




»;*] 


Disjur 
on th 


5.2.1 


m 


expres 
possibl 
they d 


■ •in 


while 


lU 


if non-linear inequalities, and included simple extensions to handle certain 
unctions (e.g. sin and cos) in a primitive way. To support an implementation of 
lan checker, the author had to extend the method further to handle disjunctions 
jalitities and conjunctions of inequalities. It already implicitly handled simple 
of inequalities. As a by- product of this development it became possible to 
ich fuller treatment of quadratic forms. 

tion describes the computable functions of the extended SUP-INF method, 
srizes their capabilities. The precise algorithms used in the earlier versions of 
ethod can be found in Brooks (1981a) and Brooks (1981b). 

ions handled by the extended SUP-INF method can include operations for 
fraction, multiplication, division, square root, maximum, minimum, and (to 
tent) some trigonometric functions. Operations are on numbers, the special 
nd —oo and formal variables. 

ints are inequalities and conjunctions and disjunctions of constraints, 
can arise from simple inequalities if MIN is placed on the left of “<” or MAX 

ng with projections . 

’-INF method takes its name from two procedures, SUP and INF which bound 
iver satisfying sets of constraint sets. In general they do not provide the best 
ids, but in many cases (linear for instance, see below, but also often otherwise) 

y the symbolic result of SUP will be an expression of the form min(ej,..., e n ) 
ult of INF will be of the form max(ei,..., e n ). 

■ as an example the set of constraints defined by 


57 





















Cf = { X x x < y, x -f y < 7 }. 


Then 


Mil 


Let e 
Then ' 




whene 


No gu 


are no 


to thoj 
the be 


constr 


lim 


)cedures SUP and INF produce the results: 

SUP(“i + V", c £ , { y }) = min(7,2.1926 + y, y + yfy) 

INF(“i",C £ ,0) = -3.1926 

> procedures take three arguments. First consider the following special case. 
* 

expression, C a set of constraints, and suppose that support(e) C support( C). 
i (1981a) shows that 

lub(e, C) < SUP(e, C, 0) 

glb(e, C) > INF(e,C,0) 
is satisfiable, i.e. whenever 

sat(C. support( C)) ^ 0. 

J is made concerning the results returned by SUP and INF when the constraints 
lable. 

Lr sets of constraints the extended versions of SUP and INF behave identically 
Shostak (1977). He showed that under those conditions they actually find 
able bounds. That is for a constraint set C which consists entirely of linear 
md a linear expression e then 

lub{e, C) = SUP(e, C, 0) 

glb{ e> C) = INF(e, C, 0). 

58 








Figure 
and INI 


{ 0. An illustration of the projection and bounding behavior of the procedures SUP 
. Tie text contains detailed commentary. 


SUP(e, C, { y }) 



P- 

strains 
faces c 
bound 
set. M 


an exp 


pcedil 
, an 
ifinec 
he e] 
re fo 


Jlessio 


res SUP and INF are more general however. Given a satisfiable set of con- 
xpression over the satisfying set, and a subspace, SUP and INF compute sur- 
over the projection into the subspace of the satisfying set, which everywhere 
pression over the inverse image of the projected points in the original satisfying 
■mally, but perhaps more clearly, suppose support( C) C W, V C W, and e is 
i where support(e) C W. If 


sat(C, W) ^ 0 


then 


support(SUP(e, C, F)) C V, 
support( INF(e, C, V)) C V 


and 


V x 


;si 




(5.2.1) 


VV(lC,V)}v(proj(W,V,x)) > \e) w {x) > [INF(c, C, V)\ v (proj(W, V, *)). 


59 









a part: 
of cons 


Oil 


iiiiai 


iiffO 


That 


or not 


empty 
it alwj 


constr 




lily t 


(where 

“possi 


lilt 


.0 gives an illustration of these capabilites. There the set W is defined by 
, and V = {y}. The constraint set C is satisfied by the region shaded in 
le. The expression e takes values in the reals 3R over the satisfying set and 
Lhe surface patch illustrated. The darkened region of the y-axis illustrates the 
the satisfying set sat( C, W) into space(V). The shaded region in the y-SR plane 
ponding projection of the values achieved by e. The curves in the y- 3ft plane 
slow that shaded region correspond to the values achieved by the expressions 
SUP(e, C,V) and INF(e, C,F), both expressions in y, over the porjection of 
$ set. Notice that they are upper and lower bounds on the projection of the 
1 generated by e. 

a 1 decision procedure. 

cedures SUP and INF' can be combined (following Bledsoe (1975)) to produce 
ision procedure on sets of constraints. The decision concerns whether a set C 
s is consistent, i.e. whether the constraints are satisfiable, or formally whether 

sat(C, support(C)) 0. 

►cedure is partial comes from the fact that it can not always decide whether 
the case. In fact it has two outcomes; one that the satisfying set is definitely 
the other that it doesn’t know. This property is the cost of requiring that 
minate in some bounded time determined by the size and complexity of the 
t C. 

ision procedure is called DECIDE. Given a set of constraints C, then if 

Vv£ supp'ort(C), INF(v, C, 0) < SUP(v,C,0) 

efinition of “<” is extended to handle dr 00 correctly) DECIDE(C) returns 
isfiable” (or true), else it returns “definitely vnsatisfiab1e ,, (or false). 

:edure DECIDE is sound in the sense that it never returns an incorrect result. 


60 













I 


PROJ 
set of i 
satisfy 
mg set 
which i 


suppor 

project 

PRO. 

If a coil 


tion o> 


from the fact that SUP and INF return upper and lower bounds over the 
, of a set of constraints. 

se a procedure which always returns “possibly satisfiable” is also sound under 
n of soundness. Such a procedure happens to be worthless, however. A partial 
edure is only interesting is it sometimes detects unsatisfiable sets of constraints. 
,en it successfully detects such sets, the more interesting it is. 

f characterization of the extended SUP-INF decision procedure is empirical, 
in its use in tjie ACRONYM Bystem there was never a case observed where 
letect an inconsistent set of constraints. However it is possible to construct 
straints which is in fact inconsistent, on which DECIDE returns “possibly 
The philosphy adopted in ACRONYM was that if there was a failure to detect 
ncy at some point in the computation, it would more than likely be detected 
mplications of the inconsistency were propagated and became less subtle. 

sub-procedure. 

DECIDE, another important sub-procedure used in the plan checker is 
projects a set of constraints into a subspace over the satisfying set of a second 
aints in such a way that points which satisfy the projected constraints also 
iginal constraints. Essentially it tries to find prismatic subsets of the satisfy- 
first set of constraints, with elongation orthogonal to the projection subspace, 
tolly contained in the satisfying set of the second set of constraints. 

iriables sets W and V where V C W and constraint sets Ci and C 2 where 

C W and support( C 2 ) C W> the procedure PROJCS simply computes the 

Ci from space(W) to space{V), over the satisfying set of C 2 , by 
: ,U,C 1 ,C 2 ) 

>(a,C 2 ,U) < INF(6,C 2 ,U) n | “a < 6” 6 Cj, SUP(a, C 2 ,0) g INF(b, C 2 ,0)}. 
t contains conjunctions or disjunctions then PROJCS simply maps this projec- 

i terms. Thus PROJCS is a computable procedure which returns a set of 


61 



















constr 




and Icy 
trivial 
by the 


I IT 


HU 


mini 


LEMM. 


PROO 

constr 


But x 


a 


the co 


and he 


ex pres 
it cons 


expres 


“min” 


OH 


The sot V supports those constraints. The comparison of the numeric upper 
unds of a and b respectively simply serves to prune out constraints which are 
over the satisfying set of C 2 . The key property of procedure PROJCS is given 
ing lemma. 

i C = PROJCS(VF, V, C u C a ). Then 

sat(C U C 2 > W) C sat{C u W). 

x G sat(C U C 2 , VF), and let a < b where a and b are expressions in W be a 
Ci which is not trivially satisfied over sat(C 2 ,VK). 

E sat(C 2 ,W), then by the definition of function SUP (see (5.2.1)) 

[a] w (x) < [SUP(a, C 2 , V)] v (proj(W, V, x)) 

[]NF(&,C 2 ,U)]K(proi(lU,U,x)) < [6] w (x). 

C, W) also and hence satisfies every constraint in C. In particular C includes 
t 

SUP(a, C 2j V) < 1NF(6, C 2 , V) 

[a]w[x) < 

iaaUCuW).* 

:edure PROJCS often results in a set of constraints whose satisfying set is 
a disjunction of sets satisfying subsets of the constraints. This is because 
nequalities by putting expressions produced by INF, which includes “max” 
•n the right of “<” symbols, and expressions produced by SUP, which include 
sions, are put on the left. 

62 













; a plan. 

i checker must check a sequence of subplans at a particular level of abstraction. 
CHECK is defined later in this section which checks individual subplans, or 
't must be used by a higher level plan checker which typically would be part 
robot planner. In this paper we assume a simple model for the plan checking 
: robot planner, 

is given an initial state of the world and it propagates the effects of actions on 
sing CHECK, through the plan steps while constraining the plan variables so 
ns are guaranteed to succeed. Whenever a plan step is reached which can not 
;d to work by constraining plan variables or sensing at that step of the plan, 
inner backs up, again using CHECK, carrying back a set of goal constraints 
here CHECK can guarantee that the goal can be satisfied. It then proceeds 
n from that subplan aplying CHECK and propagating the results. 

>cess is illustrated below by checking the four plans A through B introduced 

there is room for much work on the role of the robot planner and the nego- 
h can take place between adjacent planning islands. This paper has not directly 
at issue, as it is more properly part of the planning process itself, rather than 
checking per se. What this paper has done is to give a mathematical framework 
those negotiations can be explored. 

checking. 

1 defines the procedure CHECKSIMP. It is the part of the plan checker which 
• a plan can be guaranteed to work simply by constraining the plan variables. 

jument list P is the plan to be checked and P* the plan which follows it in the 

63 











proce 

beg 


fTtnW 



chain 
plan 
stales 
In tha 


not co: 


THEO 


is sou 


in 


PROO 


TECKSIMP(,P, F*, FEEDFWD) 

DECIDE} |Cj U C^/tOt/)) 

utcome 6 
>egin 

C* ^-PROJCS(PUC/,P,C^,Cj) 

U (if FEEDFWD 
then 0 

else PROJCS[P\jUUV,P,C],CiUCg)); 

if DECIDE(Cj UC M ) 

then 

begin 

if FEEDFWD then PROPAGATE(P*, Cj U Cy UC^); 
return outcome 1 
end 

else return other 
>nd 

rocedure to check whether a plan will work if its plan variables are sufficiently 

ming islands. A flag, FEEDFWD, says whether the initial states of the following 
ild be used as a goal condition (when the flag is false) or whether the initial 
following plan should be derived from the current plan (when the flag is true), 
i procedure PROPAGATE is called to update P. Details of that procedure are 
:d here. 

f procedure CHECKSIMP produces outcome 1 then the plan 

[g,P ,U, V,Cj UC}jyC^ f Cg) 


ffices to show that conditions (A) and (G) hold. 

' was computed by procedure PROJCS the lemma of section 5.3 says that 
sat{C! UCj^PuU) C sat{C A ,PUU) 


64 





















V 


whence 


If 

used t 


td 


But p r 


Figure 12. An illustration of the various constraint sets and their satisfying sets involved in 
finding suffilient constraints on plan variables to guarantee that a plan will succeed. The 
text colntainl detailed commentary. 


cone 


C P 


sat{C*j,P* U U*) 


satlCj UCg,P{jUUV) 



sat(Cj UC A ,PUU) 


Constraints C 


u 


ition (A) is proved. 


iFEEDFifD was true then the theorem is proved. Otherwise the lemma can again be 
estallish that 


^(CjUCsUCj^PUt/UF) C 8at(C],P\j U U V)- 


and U* CU\JV whence condition (G) is satisfied. | 


65 









5.4.2 


mr 


ing th 



where 
set of i 


hiibm 


■iVlOfl 


states 
becaus 
be intr 


ones or 


which 
patch 
the P- 
conditi 


■ intuitive explanation. 

tion tries to give a more intuitive explanation of what is going on in construct- 
raints C p above. Consider figure 12. 

)licity (and drawabilty!) the sets P, U and V have been compressed to single 
addition the axes have been offset so that they don’t go through the zero values 
in U and V. The large region outlined in the P-U plane is sat(C If P U U) 
initial states possible for the original plan. The region in the P-V plane is 
U ). Note that in this case P = P and V = U *. The smaller region in the 
the region where the action of plan P is applicable ~ i.e. sat(Cj UC^,PU£/). 

ace floating above is the set of states which the action can achieve when applied 
itate. In this diagram there is only one resultant state per initial state, so that 
presented by a function. The surface patch is given by sat(Cj UC^, PUU\JV). 

of procedure CHECKSIMP is to further restrtict the set of initial states to 
tion is applicable and to where the resultant final state will project into the 
states of the following subplan P*. 

wishful thinking (see section 4.2) the cross section of the new set of initial 
»e identical in the U direction wherever it intersects the original set. This is 
:annot change the initial uncertainties purely by legislation — sensing must 
1 if that is desired. Therefore the only constraints allowed in this diagram are 
id so they must be parallel to the U~ axis. 

n (A) says that the initial states should be confined to be a subset of the points 
C^. Condition (G) says that the initial states should be confined so that the 
states above them projects into the initial set of the following subplan, in 
le in this case. The dashed lines give constraints Cwhich guarantee that 
) and (G) are satisfied. 


66 
















proced 

beg: 


i 


Figure 


5.4.3 


origina 
if it ca 
attemp 




can me 


section 
to mee 


measur 






IECK(P, P * , feedfwd) 

HECKSIMP(T, P*, FEEDFWD)of 
Bturn outcome 1; 
sturn outcome 6; 

;r: begin 

Cjv Ca U (if FEEDFWD 

then 0 

else PROJCS(P|Jt/ UV,P \J U,C*j,Cj UCo)); 
S +- SENSEVARS(Cj,C.y,P, U); 

P+ «— RESTRUCTURE^, s); 
case CHECKSIMP(/> + ,/> + *, .true.) of 
1: return outcome 2; 

6: return outcome 6; 
other:*if PROP13ACK(P, Cj^) 
then return outcome 3 
else return outcome 5; 

endcase 

end; 

se 

le main plan checking algorithm. 


le checking. 

3 gives the main plan checking algorithm. It uses CHECKSIMP to check the 
and simply passes on the result if the plan either fails to work completely or 
laranteed to work by simply constraining plan variables. Otherwise CHECK 
itroduce sensing into the plan to see if that will help. 

lets a new set C M , using PROJCS as does CHECK, but this time its support 
ncertainty variables from U. It calls a procedure SENSEVARS described in 
ow to decide which of the uncertainty variables need to be reduced by sensing 
ew constraints CV SENSEVARS returns a set of physical quantities to be 
1 associated sensors to do the measurement. 

edure RESTRUCTURE is invoked to carry out the operations described in 

67 











FEEDFWE) true 


3.3 sho 
the cal 
C A , na 


is trivi 


y sa 


) restructure the plan P by introducing new plan variables whose values will be 
at plan execution time by interpreting the chosen sensors. (Section 5.5 below 
practical simplifications which can be made to the constraints of section 4.2. 
nations are not approximations, but rather conservative estimates which result 
aler constraint sets and thus less computation time. Their drawback is that in 
nations the plan checker may reject a plan which is actually valid.) 

jcedure CHECK invokes CIIECKSIMP again to check the restructured plan, 
flag is passed true, so that subsequent planning islands will be restructured for 
ling variables. If CIIECKSIMP says that the restructured plan P+ is sound 
: is done and by the theorem above, the plan with sensing is sound. Otherwise 
e PROPBACK is invoked. It recursivley re-invokes the plan checker on the 
I already checked) plan, with FEEDFWD false, to see if it is possible to deliver 
plan P in a state where the uncertainties meet the constraints Cjy. Of course 
CHECK on the previous plan may again result in PROPBACK being invoked, 
•ccrusive calls of CHECK back through the chain of plans. If that recursion 
he PROPBACK returns false and procedure CHECK gives up by signalling 
f PROPBACK is successful then Cy defines a new plan which is again sound 
3 is the result. Examples ol the behavior of PROBACK are given in section 

nple. 

*tion CHECK is called on each of plan A through plan D succesively, with 
so that the initial constraints of the following plans are generated. Section 
e initial states for plan B which had been generated from plan A. In that case 
tOJCS in CHECKSIMP produces no new constraints, as the constraint from 

12.0 < B0X-P0S < 36.0 

isified. 


68 



















where 


for pi 


“other’ 
is that 
uncert 
them lij 

sens: 

values 
the ne 
in the 


IllflU 


sen sin 


the pr 
constr 
to fals 
than b< 


B0X-UN( 


(IHI 




illTM 


generates no new state information. Finally plan C generates initial constraints 

12.0 < B0X-P0S <36.0 
ef(BOX-POS) < BOX-UNC < e/^BOX-POS) 
e ( (BOX-POS)< LID-UNC < e^BQX-POS) 
ei(BOX-POS) < BOLT-UNC < e^BOX-POS) 

ei(x) = max(0.0002215x - 0.043262,0.0009857a; — 0.063329) 
e h (x) = min(0.043262 — 0.0002253a;, 0.063329 — 0.0009895:c) 
igain PROJCS generated no new constraints in this case. Note that 

P ={box-pos} 

U — {BOX-UNC, LID-UNC, BOLT-UNC}. 

IIECK is applied to plan D the first call to CHECKSIMF fails with outcome 
’ reason, although the plan checker can not isolate it to this level of analysis, 
e bolt and the lid line up well enough for initial insertion, there is too much 
n the relative positions of the box and lid to guarantee that the holes in 
. A new set C^ is computed where support{C^) C P U U. The procedure 
! is invoked and it deduces that BOX-UNC and LID-UNC have smaller ranges of 
C>/ constrains the intital states (SENSEVARS is described in more detail in 
ion). It correctly deduces that there is no need to reduce BOLT-UNC anywhere 
?f box positions. 

in is restructured to introduce sensing. However the procedure 
[JRE notes that no named physical quantities are introduced in plan D, so 
ot affect any action which is to take place. Therefore it immediately invokes 
’ PROPBACK. It propagates the set Cj U C* back to plan C as the initial 
plan D. Thus when CHECKSIMP is invoked on plan C with flag FEEDFWD Bet 
realized that plan C needs to produce a more tightly constrained world state 
\gain SENSEVARS is invoked and it recommends reductions in the ranges of 
.ID-UNC. 

e RESTRUCTURE is once again invoked. It decides that since there is only 


69 














[lit] 


<>■11* I 


enoug^ 
to bac 


5.5 In 


mi 


*mVsm 


CHEC 

duced 
the uni 
deterr 
The sei 


5.5.1 


iiruii 


«rin 


1 


i:S 


The sh 
single 
of cons 
identif 


It ft Mil 


10 IT'UM 


further 


sical quantity to be introduced, namely bolt: position, and since it depends 
osition, then it can only possibly help to sense the latter, and thus it can only 
i to reduce the uncertainty in the position of the lid and not in the position of 
ising is introduced, and then PROPBACK propagates forward from the new 
,n D once again. However plan D once again fails as the relative positions of the 
iave still not changed, and so there is no guarantee that they will line up well 
he bolt to be inserted through them both. Therefore PROPBACK continues 
rom plan C. The result is described below in section 5.6. 

ng sensing. 

5.4 described procedures to check plans. A major subprocedure invoked by 
SENSEVARS. Its job is to select physical quantities and sensors to be intro- 
plan to guarantee its success. There are two stages to that process. First 
ities which must be reduced by sensing need to be identified. These can be 
>y examing the set of new constraints Cjv. The prcoess is described below, 
tep is to choose sensors which will indeed reduce those uncertainties. 

g what needs to be sensed. 

figure 14. The outlined area in the P~U plan is the original set sat(Cj, P\jU). 
ubset of that area corresponds to sat{Cj UC^,P\JU). For a given value of the 
.riable in P a piece of the original set which is unshaded represents a tightening 
3 on the single uncertainty variable in U. In general it will be necessary to 
h uncertainty variables are so constrained. 

an uncertainty variable u G U and the problem of deciding if it has been 
rained. Let 

o s — SUP(ii,Cj,P \JU ~ {u}) 
o r — INF(u, Cj,P \JU — {u }) 
n s = SUP(u, Cj U C U ,P U V - { u }) 
n % = INF(tt, Cj U Cv, P U U ~ { u }). 


70 














Expre 


space 


at wh 




is tru 
hold f! 


involv 


is sati 




Kill 


applie 
is sho 


some 


are u 


than 


fit 


101 * 1 * 


o s and o t are the original bounds on u, (expressed as functions of the parts of 
pnal to u) and n s and n % are bounds on the newly constrained u. 

ideed constrained by the set Cjy then there exists some point 

x € space(P U U — { u }) 
i of 

[ n s]pU(7-{i 4 }W < K]p(Jl/-{u}M (5.5.1) 

[ n i]pUU~{u }(*) > Mpuu-wM (5.5.2) 

e remainder of this analysis only o s and n s will be considered. Dual statements 
md 

rmine whether condition (5.5.1) were ever true it would suffice to examine 
see if it were ever positive. However o s and n s will typically be expressions 
lin” and thus their difference will be too complex for the SUP-INF method. 

■ however that n a = min(7i s i, n s2 , ..., n sfc ). Then if for any e > 0 one of the 

C = C; U {u > n S j + e} 
then condition (5.5.1) is satisifed. 

re the algorithm SENSEVARS simply chooses some small e and for each u 
sdure DECIDE to each set of the form C above. If at least one of the sets 
be possibly satisifiable then u us a candidate for reduction. Note that if for 
ets are said to unsatisliable by DECIDE then (since DECIDE only says sets 
able when indeed they are unsatisfiable) u has nowhere been reduced by more 
5 pace(P (J U — { u }). 

xample of sections 5.4.4 and 5.6 a constant e of 0.000001 was used. 


71 







ng a sensor. 

e uncertainties are to be reduced by sensing have been chosen, it is necessary 
some geometric reasoning to find which quantities can be measured in order 
ose particular uncertainties. Each uncertainty is associated with a particular 
cal quantity in the geometry g of the plan. A quantity which can be sensed and 
ds on that named physical quantity must be found. That topic is not covered 
• 

candidate sensor has been found it would be advantageous to determine im- 
measuremcnt error is small enough to provide the desired reduction in uncer- 
re that one candidate sensor is found then this capability would be even more 
le SUP-INF method proves useful in this task also, but more work remains to 
he topic and meanwhile a useable plan checker can be implemented based on 
r method without this capability. 

g the constraints. 

l. 4.2 defined the constraints which can be inferred from adding a sense opera- 

m. Those constraints contain many variables and an equality. Such constraints 
ie SUP-INF method significantly, making the analysis of a sensing operation 
turns out however that a set of simpler constraints, essentially projections of 
ms into a subspace, are almost as strong as the originals. Thus it is possible 
' spent in plan analysis for the possibility of missing a correct plan when all 
re extremely tight. This exactly what the plan checker implemented by the 

on the implemented plan checker assumes that the robot controller will use 
ralue returned by a sensor as the new nominal value for the physical quantity 
The validity of such sensor interpretations depends on the ability at plan 
e to be able to split up a satisfying set of Cj into components where the 


72 




















physic 


II 


where 
by the 




imple 


ii 


variabl 
constra 
with th 


sense v 


the rel 


the se 


7e 


have a 


constr 


SB 


o so th 
introdu 


nomin 


1 


5.6 Co 


M 




T*m 


ntity ranges over a single interval. 

he notation used. A physical quantity represented by the expression o -f- v, 
support in P and v has support in U, is to be sensed and to be represented 
ssion n + u where n represents the nominal value and u the uncertainty. The 
plan checker introduces the following three constraints. 

n + /s(n)<o + SUP(v, Cj, support{o)) 

o -f- INF(v, C i, support(o)) <n -f r s (n) 

U <r s (n) 

1 two are an expression of constraint (4.3.1) projected into a subspace of plan 
e projection is conservative in the sense that anything that satisfies these two 
ill also satisfy (4.3.1). Thus the plan checker will have more situations to deal 
ght have been described by using the more exact constraint. Since no explicit 
! is introduced, but n is used directly instead, these two constraints also express 
jiven by constraint (4.3.3). The final constraint concerns the uncertainty in 
antity, and it takes the place of constraint (4.3.4). 

Hat the first two introduced constraints allow n, the new nominal value, to 
range of values than o, the older. Practically this often means that some 
iwly expressed in terms of n, will cut down the allowed range of values for 
nds up having the same range as did o before the sensing constraints were 
„ is this process which validates the use of the nominal sensor reading as the 
! for the quantity being measured. 

ig the example. 

again the example of the four coupled plans. 

ecting the introduction of sensing at the start of plan C the procedure 


73 










PROP 
physic; 
ing a i 
A. 

Pi 

an int 

rest] 

N< 

chec: 

value c 
the sen 

then tl 

is adde 
places 
BOX-POJ 
followii 


! 

■ 



Th 
lead to 


mini 


works back through plan B and plan A. At plan B it notices that no new 
itities are introduced, so sensing can not help. The extra constraints request* 
on in the uncertainty of the box and lid positions are carried back to plan 


imti 


flSHBl 


■e SENSEVARS suggests that the box position should be sensed. Since 
d physical quantity iid:position depends on box :position the procedure 
URE introduces sensing for that quantity. 

new constraints are propagated through the series of plans using procedure 
Extra constraints get added to the new plan A to ensure that the nominal 
sensor can be used as the nominal value of box.'position. For instance when 
s error characteristics 


igti 


traint 


-l s (m) — r s (m) — 0.0004 X m 


12.0454 < BOX-POS < 35.9579 




KaJUEJ 


mm*. 


extra constraints C^/ are needed until plan D is reached. The final subplan 
constraints on the plan variables (the initial nominal position of the box, 
only plan variable), depending on the error characteristics of the sensor. The 
e summarizes some results. 


nc 

-ion l a 

Function r a 

m 

135 X x 

0.00035 X x 


>40 X x 

0.00040 X x 


145 X x 

0.00045 X x 


50 X x 

0.00050 X x 

1 

55 X x 

0.00055 X x 


__ Resultin g C 

_ empty 

BOX-POS < 20.08^728T397~<1oFpos’ 
BQX-POS < 15. 6811 V 30.7618 < B0X-P0? 
BOX-POS < 12.8564 v 33. 9 237 < BOX-POS 
unsatisfiable 


sens >rs, with linear error, smoothly degrade the range of initial box positions which 
nal e iccess of plan D. With an error factor of 0.00035 the plan can be successfully 


74 




















carrier 


centr 
of sen 
availa 


ing t 
CIIE 
propa 
plans 


11 


nllii 


wherever the box is initially placed. For 0.00040, 0.00045 and 0.00050 the 
>n of the working area of the manipulator is forbidden, as the combination 
or and manipulator uncertainty makes the plan infeasible. If the only sensor 
5 an error factor of 0.00055 then nowhere is sensing powerful enough. 

latter case when the plans are propagated forward from plan A with sens- 
to plan D, the plan checker finds that the set C. v computed by procedure 
P leads to no feasible initial positions for the box. There is nowhere left to 
ackwards from plan A so it must conclude that in this case the sequence of 
isible due to inadequate sensing. 










HI 


dev el 
able t 
of pla 
to int 


6.1 PI 




notio 


llutl 


<1 


Sacerc 
tion n 
to knc 
Stefik 
but it 
planni 
be cor 
of tbei 


progr 


I HI 


rung s 
ABST 
much < 
world 


tion time (i 


idea, 


6. Related Questions 

per has developed a formal model for checking robot plans. To do so it first 
formal model of plans. Plans are the result of planning. The plan checker is 
fy plans, but there has been no development in this paper of the formal process 
Thus there are some deficiencies in the model of plans used. Work is needed 
the model presented here with more creative planning processes. 


ark on planning has been restricted to abstract domains where there is little 
netric, let alone spatial relations, errors or tolerances. 

i’s (1975) HACKER program works entirely in an abstract blocks world. 
1977) NOAH is not restricted to the blocks world, but every problem descrip- 
a procedural semantics of the domain to accompany it. The user really needs 
solution in advance in order to decide the form of the semantic description. 
1) MOLGEN works in a domain of planning molecular genetics experiments, 
’t even have a strong notion of quantity. All these programs concentrate on 
t in a domain with impoverished semantics. The semantics of their worlds can 
iy specified in a few lines. They plan within that very simple world. Many 
s are useful for robot planning, but one should not suppose that any of these 
i capable of producing plans that could possibly work in a real world. 

STRIPS sytstem (Sacerdoti (1974)) is often cited as a real world robot plan* 
Indeed, a physical robot, SHAKEY, was controlled by plans generated by 
However, SHAKEY was restricted to a tightly controlled environment, and 
engineering ensured that the world was relatively benign. Errors that the real 
uced were handled by having the complete planing system available at execu- 
PLANEX) to modify the pre-computed plans. As such, this is an excellent 
untime processing power makes it viable, to handle deviations in the modelled 


76 

















world 


time 

compl 


can o 


from t ■ 
extra < 
gravity 


arrant 


the pei 
a part 

. i 

the sy 


fifties 


IOC 


the d 


II 


i 


ment 


of its 
knowr 
to be 
dimen 


errors 


i Minn 


that 

comp 


S 


(OCtd 


iBlMOTi 


planni 
powerl 
due to 


and t 


1 


that encountered in the real world. It has the disadvantage of the execution 
y turning into somewhat of a “hit-and-miss” affair, where the models are not 
idequate, so a cycle of “action, sense, new action to achieve the same goal”, 
velop. 

n’s (1973) BUILD system, incorporated three dimensional models of objects 
cks world. Uncertainties of size and position ((1973) p. 48) were ignored as an 
ication to be tackled later. Fahlman did however deal with objects touching, 
‘rictional forces. BUILD is capable of impressive behavior in the face of complex 
,s of blocks where these forces are significant. Fahlman claimed that “80% of 
mce” of his system derived from the level of detail in the model it was given of 
situation, while the remainder came from the planning knowledge embedded in 
Further, he claimed that the planning aspects are greatly simplified by having 
models. His system is probably unable to deal with real- world problems, but 
oser than the other planning systems mentioned above. 

' (1980) programmed a mobile robot to navigate through a cluttered environ- 
a visual map. It took into account errors and their effects at many stages 
itations. Because of its simple model of the world as clusters of points with 
space coordinates it had to be very generous in enclosing them with spheres 
d. It had a self model of how commands to its motors would affect its three 
location and orientation. This model took into account frictional forces, and 
ilways assumed worst case errors to analyze the possible outcomes. Features 
:ated by its nine eyes were also considered to be prone to error. All of Moravec’s 
s were of the form of propagating errors forward, then checking the result. 

'1976) has carried out by far the most realistic analysis of errors in robot 
date. He used some symbolic geometric reasoning techniques, and many 
nerical techniques. The example in section 2.1 of this paper is originally 
>r. His work differs from that here, in that he essentially propagated errors 
es numerically forward through a physical situation, then checked at the end 


77 









wheth 


or mo 


search 


nume 


the co 


■ 




veloper 
They u 
from re 


tolera 
the fr 


strain 


6.2 In 


niaaawi 


! I IL«4Vil 


! 


island 
were t 
to inte 


mill 


liitli 


IMHE 


langua 

i 

explict 
explici 
treat e 
check | 
smart 
be inv 


111 Mil 


i things as applicability conditions were met. If not, the plan was either rejected 
it the point where the applicabilty condition was violated (e.g. initiate a spiral 
force sensing to find the hole for the screw to fit in). 

thods presented in this paper have their roots in Taylor’s work. Instead of 
mputation in one direction, the computation (of the constraints) is symbolic; 
tions can be proceed in any chosen direction. 

and Popplestone (1975) and Popplestone, Ambler and Bellos (1980) have de- 
issembly programming system which has many elements of planning in it. 
imetric models of objects and infer spatial locations and orientations of parts 
iships between them (e.g. “against” or “fits”). They do not take into account 
ut instead work with nominal representations of distances and angles. Within 
rk of this paper much of what they do can be characterized as finding con- 
lan variables. 

»n of planning and checking. 

ails of how the implemented plan checker propagates information from plan 
n island, and exactly how it might fit in with an automatic planning system 
:at extent ignored in this paper. That is largely because there are many ways 
such plan checkers with planning systems. 

hecker such as presented here could be integrated with a robot programming 
a number of different levels. The programmer might be required to model 
uncertainty effects of each individual motion command, along with providing 
mnditions on the applicability of that motion. The plan checker could then 
lotion command as an individual plan island in a sequence of planned steps, 
dity and propagate the uncertainties to the next motion command. Like a 
er it could provide error messages about why the sequence of motions might 
a higher level robot programming language which included geometric models 


78 









of the 
be inf 


given 


was n 


prese 



instan 
rely o 
tool, 
which 


yniTi 


niuii 


» 


planni 
it is cl 


appro 


followi 


6.3 Th 


Ideally 

partial 

model 




Ua*] 


an 




:MhO 


ittiHia 



f* 5 • 




being r 


• 'tm 


mlator and objects in the world, applicability and geometric constraints could 
nore automatically by examing the motion statements. Again, advice could be 
human programmer concerning critical points in the program where sensing 
or new motion commands were required, 

automatic planning system culd also benefit from the plan checking approach 
this paper. Both Lozano-Perez (1976) and Taylor (1976) have discussed 
terns which expand skeleton program fragments into complete robot programs 
to account the constraints implied by the geometry of the particular world 
ten there are decisions to be made in fleshing out such skeletons which must 
1 interactions. The plan checker presented here could be used as such a decision 
same time it can be used as the “test” part of a “generate and test” approach 
anner might use for decisions which its expertise gives no guidance. 

FT system of Popplestone, Ambler and Bellos (1980) takes over some of the 
den from the human programmer. From the discussion of the previous section 
it much of what the plan checker does is in the spirit of the Rapt system’s 
planning by solving relational constraints. It seems that a plan checker 
framework described in this paper could be naturally built on top of Rapt. 

of constraints. 

straints used in the implemented plan checker are all algebraic inequalities, 
mid like to find ways to express much more geometric constraints and develop 
)n procedures that could deal with them in a manner adequate for using the 
ts presented in this paper. The algebraic constraints used to date, constrain 
dons of, essentially, “topologically” equivalent situations. They give no hint 
bout classes of states whose members include radically different topologies. 

d of plans (but not of sensors) given in section 3 is independent of the variables 
ued or the constraints being inequalities. This gives some hope that it may be 

79 
















T 



mftm 


model 
of im 
check 


ensur 


H 


readin 


! .‘Mil 


ttend the plan checking formalism into the area of geometric checking, besides 
y algebraic aspects presented here. 


)er has concentrated on the algebraic aspects of robot plans that include explicit 
certainties in the physical world. Earlier work (Brooks (1981a)) has shown how 
the geometry of a world model to the algebraic aspects studied here. A formal 
ns was developed, and a formal model of a plan checker followed. The details 
ting a particular plan checker were discussed, and it was shown that the plan 
d check the plan, constrain certain decisions and introduce sensing in order to 
die plan would work. 

Acknowledgements 

isentation of the work in this paper has benefited materially from careful 
irafts by J. Michael Brady and Tomas Lozano-Perez. 












References 


A1 

76—86]E i 


A 

Spec//) 

B 

75, Ti 

B[| 

Artifici 

Br 


Imblerl 

r'.d 


•:>oks, 
dissertation, 


Dh 

Assem 


tation, 


Lc 

tion, IV 

Mi 

Feldnic 


M6 


Seeing 


Ifdsoel W. W. 1975. A New Method for Proving Certain Presburger Formulas, IJCAI- 
flsi, Georgia, U.S.S.R., Sept., pp. 15-21. 

ooks, R. A. 1981a. Symbolic Reasoning Among 3-D Models and 2-D Images, 
al Int diligence (17):285-348. 


bus. 


Sm 


pke, 

to q 


MIT 

sano 

T ,J 

#sky, 
and 


ravec! 
1 Hobo 


I. S. and Evans, J. M. 1976. Robot Sytems, Scientific American, Feb,, pp. 


A. P. and Popplestone, R. J. 1975. Inferring the Positions of Bodies from 
.tial Relationships, Artificial Intelligence (6):175~208. 


IT A. 1981b. Symbolic Reasoning Among 3-D Models and 2-D Images, Ph.D. 
Stanford AIM-343, June. 

3. 1977. Using Compliance in Lieu of Sensory Feedback for Automatic 
larles Stark Draper Lab. Report T-657, Sept. 


FcihlmaJ, S. E. 1973. A Planning System for Robot Construction Tasks, M.S. disser- 
U TR-283, May. 

Perez, T. 1976. The Design of a Mechanical Assembly System, M.S. disserta- 
-TR -397, Dec. 

|M. 1963. Steps Toward Artificial Intelligence, in Computers and Thought, J. 
E. A. Feigenbaum (eds.), McGraw-Hill. 


H. P. 1980. Obstacle Avoidance and Navigation in the Real World by a 
Rover, Ph.D. dissertation, Stanford AIM-340, Sept. 


81 

















for D 


■MmUj 


Hlif 


Intelli 


Coor 


JAC 


Ml 


mmii 




Jan. 


Specif! 




itone, R. J., Ambler, A. P. and Bellos, I. M. 1980. An Interpreter for a Language 
ig Assemblies, Artificial Intelligence (14):T9~107. 

ti, E. D. 1974. Planning in a Hierarchy of Abstraction Spaces, Artificial 
(5):115-135. 

ti, E. D. 1977. A Structure for Plans and Behavior, American Elsevier. 

y, J. K. 1980. Active Stiffness Control of a Manipulator in Cartesian 
19th IEEE Conference on Decision and Control, Albuquerque NM, Dec. 

, R. E. 1977. On the SUP-INF Method for Proving Presburger Formulas, 
29-543. 

1. 1981. Planning With Constraints, Ph. D. dissertation, Stanford, HPP-80-2, 

i, G. J. 1975. A Computer Model of Skill Aquisition, American Elsevier. 

II. 1976. A Synthesis of Manipulator Control Programs from Task-Level 
s, Ph.D. dissertation, Stanford AIM-282, July. 


82 

. i 














Appendix 



ira 


plann 


declar 


intern 




POSIT 


be AN 


Ml 


;;; e 


UNIT 


;;; n 



There 


mamp 

;;; up 

(FUNDE 

(MAX 

(FUNDE1 

(MIN 


imple introduced in section 2.2 and referred to throughout the paper has been 
in implemented plan checker. The plan checker runs on a Lisp Machine at the 
diligence Laboratory at the Massachusetts Institute of Technology. Below is 
put specification to the checker which describes the four coupled plans. This 

2 d by hand, but in the future may be generated as the product of a task level 
tern. 

le plan data-base is initialized and then the named physical quantities are 
he entries POS and UNC simply declare the postfixes to be used in generating 
able names, so that internal data structures can more easily be debugged. The 
ry defines tlie type of each named physical quantities (another example might 

of four coupled plans 

PLAN-DATA-BASE) 

tysical quantitites 

POSITION POS UNC) 

POSITION POS UNC) 

‘ POSITION POS UNC) 

is are then defined to specify the uncertainty behavior of the manipulator, 
ipecific model of the manipulator used by the plan checker at this level. The 
behavior is encoded in the sets of constraints Cg. 

d lower bounds on manipulator uncertainty 
X) 

0.0002216 X) -0.043262) (+ (* 0.0009857 X) -0.063329))) 

X) 

-0.0002253 X) 0.043262) (+ (* -0.0009895 X) 0.063329))) 
r characteristics of the sensor are defined, and then a model of the sensor itself 


83 
















is giv 
quant 


» I » S' 


HI 


(FUND 

(FUND 

(DEFS1 


»I3 

■■ 

3>h3 


> kill 


NPQ-I) 
entry 
intro 
the nj 
used z 
in the 
the co 
check 




[10523 


sensin 


;;; p 


(DEFP 


r«j] 


MljlU 


(DEFP 


e model is in terms of its error characteristics and the type of named physical 
hich it can measure. 

and bounds on its errors. 

(X) (* -0.0004 X)) 

(X) (* 0.0004 X)) 

CAMERA LS RS ’(POSITION)) 


e four plans are defined. There are up to four slots defined for each plan, 
a list of named physical quantities which describe the state of the world at 
: plan. NPQ-ADDED-DEFS is a list of pairs describing named physical quantities 
nto the world state by the action of the plan. The first element of each pair is 
the new quantity and the second is an expression whose nominal value will be 
minal value for the introduced quantity. Thus in plan A the lid is to be placed 
nominal place as the box. The slots ABSTRACT-CA and ABSTRACT-CG describe 
:it sets C A and C g in terms of the named physical quantities. During the plan 
5cess they will be expanded in terms of plan and uncertainty variables. As 
ations get introduced, those expansions will change. 

Cinitions 

\NA 

MNIT ’ (BOX-POSITION) 

i-ADDED-DEFS ’((LID-POSITION BOX-POSITION)) 

3TRACT-CA ’((IN (NOMINAL LID-POSITION) 12.0 36.0)) 

3TRACT-CG ’((IN (UNCERTAINTY LID-POSITION) 

(EL (NOMINAL LID-POSITION)) 

(EH (NOMINAL LID-POSITION))))) 

MB 

l-INIT ’(BOX-POSITION LID-POSITION) 

JTRACT-CA ’((IN (- BOX-POSITION LID-POSITION) -1.0 1.0))) 


84 







(DEFP 


(DEFP 


The s 
realit 
the p 


ttt 1 


(INIT 


-INIT ’(BOX-POSITION LID-POSITION) 

-ADDED-DEFS ’((BOLT-POSITION LID-POSITION)) 
TRACT-CA ’((IN (NOMINAL BOLT-POSITION) 12.0 36.0)) 

TRACT-CG ’((IN (UNCERTAINTY BOLT-POSITION) 

(EL (NOMINAL BOLT-POSITION)) 

(EH (NOMINAL BOLT-POSITION))))) 


AND 

Q-INIT ’(BOX-POSITION LID-POSITION BOLT-POSITION) 
STRACT-CA ’((IN (- BOLT-POSITION LID-POSITION) 

(% -7. 64.) 

{% 7. 64.)) 

(IN (- LID-POSITION BOX-POSITION) 

. (H -3. 64.) 

(% 3. 64.)))) 


, the initial state of the world is specified, and plan A is appropriately initialized. 
-LIST is tilled with a list of named physical quantities corresponding to physical 
he world’s initial state, while ABSTRACT-CS is a list of constraints which describe 
initial states of the world. 

state of the world 
-PLAN PLANA 

NPQ-LIST ’(BOX-POSITION) 

ABSTRACT-CS ’((IN (NOMINAL BOX-POSITION) 12.0 36.0) 

(IN (UNCERTAINTY BOX-POSITION) 

(EL (NOMINAL BOX-POSITION)) 

(EH (NOMINAL BOX-POSITION))))) 


85 









